Oi, Android devs! Facebook wants your apps to be more secure

Open source crypto library helps lock down private data

Facebook has released the source code of a software library that's designed to make it easier for developers to implement fast, secure cryptography in their Android apps.

Dubbed Conceal, the library was developed for a limited range of tasks with the specific needs of Android developers in mind, allowing app makers to include encryption without being cryptography experts.

"Unlike other libraries, which provide a wide range of encryption algorithms and options, Conceal prefers to abstract this choice and include sensible defaults," Facebook engineer Subodh Iyengar wrote in a blog post. "We think this makes sense because encryption can be very tricky to get right."

Facebook hasn't tried to write its own crypto code from scratch. Rather, Conceal takes advantage of a number of cherry-picked algorithms from the industry-standard OpenSSL open source library.

By eliminating the parts of OpenSSL it didn't need, however, Facebook managed to slim down its encryption code to a mere 85KB. By comparison, the full OpenSSL library takes up around 1MB when compiled for ARM chips.

The algorithms that Conceal uses are also fast, even on low-powered ARM chips. In Facebook's own tests on a low-end Samsung Galaxy Y smartphone, Conceal performed significantly better than both stock Java cryptography and the Bouncy Castle library.

Graph showing benchmarks of Facebook's Conceal security library

Not just easy, but fast: Conceal can encrypt and decrypt data many times faster than other methods

Conceal offers up these algorithms via a simple API that abstracts away most of the choices that other libraries require developers to make. Pass an I/O stream to Conceal, and Conceal returns a wrapped stream that's automatically decrypted or encrypted as it's read or written.

That means Conceal won't be useful for every encryption application, but it will work for a few use cases that crop up frequently on Android. Foremost, it can be used to encrypt data that's stored on SD cards, which is why Facebook invented it in the first place.

"What many people don't realize is that Android's privacy model treats the SD card storage as a publicly accessible directory," Iyengar wrote. "This allows data to be read by any app (with the right permissions). Thus, external storage is normally not a good place to store private information."

Facebook, obviously, deals with a lot of private information. Thus, the Facebook app for Android doesn't write anything to the SD card without encrypting it with Conceal. It's enough to make one wonder how many other Android apps also encrypt their data – but now they can.

Iyengar says the current version of Conceal is officially supported on Android 2.3 "Gingerbread" and up, although it should also work on Android 2.2 "Froyo" devices. Facebook has released the code as open source under a BSD license, and it's available now on Github, here. ®

Sponsored: 5 critical considerations for enterprise cloud backup