1

It is documented as not supporting Android. Why? Is it just because Android's BouncyCastle's implementation is shrunk down on features and doesn't support things like KeyPairGenerator/ECDSA (Elliptic Curve Digital Signature Algorithm)?
(Here's another link on that.)

Wouldn't it be enough to just use SpongyCastle instead? Is it just because Google doesn't support SpongyCastle that its KMS Java client doesn't support Android?

Vrakfall
  • 966
  • 7
  • 13
  • I don't understand why my question got downvoted. Please, be a bit constructive and at least explain why. – Vrakfall Aug 02 '18 at 14:40

1 Answers1

1

https://github.com/GoogleCloudPlatform/google-cloud-java/issues/1696#issuecomment-284464059 is the most authoritative explanation I can find. Quoting garrettjonesgoogle:

We have not done any specific work to make google-cloud-java compatible with Android, and there are a number of known issues (as you have discovered). First-class Android support will come at a later date.

Our currently-recommended way is to have your own server (e.g. on App Engine) that makes the calls to GCP, and your own Android app makes calls to your server. The reason is that google-cloud-java only has support for 2LO auth (service-account-based), not 3LO auth (user-account-based). If you make calls from your android app with 2LO auth, it's theoretically possible for someone to steal your service credentials from your app and use them in their own app. This isn't a problem with 3LO, though.

Community
  • 1
  • 1
Russ Amos
  • 419
  • 3
  • 9
  • Thank you! This answers my question clearly and in depth! It also made me think about a better design for my application. :) – Vrakfall Aug 03 '18 at 21:40
  • If you think that the right design would have you using KMS directly from Android, please tell us more, we want provide appropriate support! Thanks for using GCP and Cloud KMS. – Tim Dierks Aug 04 '18 at 21:11