Conceal APIs seek to make encryption done by Android apps efficient and simple
In an altruistic move, Facebook has open sourced code that makes it easier and more efficient for Android developers to perform encryption for apps on the Google operating system.
Facebook is hoping to fix a weakness in the way Android deals with storage with its Conceal application programming interfaces. Often, the solution to limited storage on an Android device is to push some data out to the SD card, but that is left unencrypted by default.
“This allows data to be read by any app (with the right permissions). Thus, external storage is normally not a good place to store private information,” said Subodh Iyengar, software engineer at Facebook, in a blog post.
“We saw an opportunity to do things better and decided to encrypt the private data that we stored on the SD card so that it would not be accessible to other apps. To do this efficiently, we built Conceal, a set of Java APIs to perform cryptography on Android and make storage more secure and lightweight.”
The new programming interfaces are designed “to be small and faster than existing Java crypto libraries on Android while using memory responsibly”, Iyengar said.
Rather than open up a range of encryption options, Conceal supplies “sensible defaults” as “encryption can be very tricky to get right”. It uses the AES-GCM standard, which uses authentication on top of encryption, computing a Message Authentication Code (MAC) of the data. This helps to detect any potential tampering with data.
“Conceal doesn’t implement any crypto. Instead, it uses specific cryptographic algorithms from OpenSSL. OpenSSL’s crypto library is about 1MB when built for armv7. By using only the parts of OpenSSL we needed, we were able to reduce the size of OpenSSL to 85KB,” Iyengar added.
Developers can access the Conceal API by heading to Facebook’s GitHub page.
Facebook, which is celebrating its 10th birthday this week, has a good reputation in the open source community. Its Open Compute project aims to re-imagine the data centre as a modular, hugely-efficient facility with limited vendor lock-in.
Think you know security? Test yourself with our quiz!