Security with a taste of Google

Google I / O 2019 died down and it's time rewrite projects to new architecture learn new items. Since I am interested in the security of mobile applications, first of all I paid attention to the new library in the JetPack family - security-crypto . The library helps to organize data encryption correctly while protecting developers from all the nuances that accompany this process.

History reference

Data encryption in Android has always spawned a lot of discussion. Which algorithm to choose? What encryption mode to use? What is padding? Where to store the keys? For an ordinary developer, learning all this and keeping knowledge up to date can be difficult. Therefore, the story most often ended in one of three scenarios:

• copy-paste of the first stackoverflow solution
• search for a "suitable manual" followed by implementation and collecting a rake
• activation of the protocol "And so it will come down!"

As the community of Android developers developed, libraries began to emerge to help solve this problem. The quality of these solutions was very different: of all this variety, I can only select java-aes-crypto , which we used in Redmadrobot. Pretty high-quality implementation, but there were a couple of problems with it.

First, it was just string encryption. This in itself is not bad, but after all these lines need to be stored somewhere, in a DB or SharedPreferences. So, you need to write a wrapper over the data source, so that everything is encrypted on the fly (which we once did). But this is the code that needs to be maintained, dragged from project to project, or processed into a library for ease of use. In the end, this was also done, but it did not bring peace to inquiring minds.

Secondly, this solution offered nothing to solve the problem of key management. They could be generated, but the storage fell entirely on the shoulders of the developer. With all the squats around AndroidKeystore on different versions of the OS and devices that came from China Mainland.

This city needs a new hero

Everything went on as usual, until in the summer of 2018 I discovered that there is such a wonderful library from Google as Tink . It is quite simple to learn and protects the developer from the huge number of nuances related to cryptography. Using this library is almost impossible to do something wrong. Moreover, Tink completely assumes key management and abstracts all operations from the developer from AndroidKeystore.

But it was still just string encryption. And then Binary Preferences turned up very well - a library from a domestic producer, which I have long wanted to look at. It allows you to encrypt all the stored data of any algorithms - for this it was enough to write the implementation of two interfaces, KeyEncryption and ValueEncryption (for keys and values, respectively).

As a result, we began to use these two libraries in a bundle and were happy that our code became cleaner and easier to understand.

security-crypto

Now, Google has once again decided to meet the developers and simplify their lives in the area of ​​encryption of stored data. Another JetPack library was announced to help with this. It became interesting to me that they wrote such a revolutionary there, and I found it useful to search for documentation (spoiler: there is none). I found only javadocs for the classes in the library, but thanks for that. It turned out that there are few opportunities: file encryption, SharedPreferences, and working with keys.

To test the library, I wrote a couple of snippets:

val file = File(filesDir, "super_secure_file") val encryptedFile = EncryptedFile.Builder(file, this, "my_secret_key", EncryptedFile.FileEncryptionScheme.AES256_GCM_HKDF_4KB) .setKeysetAlias("my_test_keyset_alias") .setKeysetPrefName("keyset_pref_file") .build() val outputStream = encryptedFile.openFileOutput() outputStream.use { it.write("secret info".toByteArray()) } 

 val encryptedPreferences = EncryptedSharedPreferences.create( "super_secret_preferences", "prefrences_master_key", this, EncryptedSharedPreferences.PrefKeyEncryptionScheme.AES256_SIV, EncryptedSharedPreferences.PrefValueEncryptionScheme.AES256_GCM ) encryptedPreferences.edit().putString("secret", "super secret token") 

To my great surprise, everything worked the first time, and I climbed to look at what code they wrote for this library. Having fallen into the sources, I saw that this is actually a wrapper around the already known Tink library, and the written code is almost one-on-one as we wrote for encrypted BinaryPreferences.

I was very glad that Google didn’t reinvent the bike this time, but used his well-proven ideas. Let's hope that the security package that came to JetPack will not be limited to this library, but will develop further.

Demonstration of the work of the BinaryPreferences + Tink bundle
Source code of the security-crypto library
Demonstration of security-crypto