Feeds

Oi, Android devs! Facebook wants your apps to be more secure

Open source crypto library helps lock down private data

Eight steps to building an HP BladeSystem

Facebook has released the source code of a software library that's designed to make it easier for developers to implement fast, secure cryptography in their Android apps.

Dubbed Conceal, the library was developed for a limited range of tasks with the specific needs of Android developers in mind, allowing app makers to include encryption without being cryptography experts.

"Unlike other libraries, which provide a wide range of encryption algorithms and options, Conceal prefers to abstract this choice and include sensible defaults," Facebook engineer Subodh Iyengar wrote in a blog post. "We think this makes sense because encryption can be very tricky to get right."

Facebook hasn't tried to write its own crypto code from scratch. Rather, Conceal takes advantage of a number of cherry-picked algorithms from the industry-standard OpenSSL open source library.

By eliminating the parts of OpenSSL it didn't need, however, Facebook managed to slim down its encryption code to a mere 85KB. By comparison, the full OpenSSL library takes up around 1MB when compiled for ARM chips.

The algorithms that Conceal uses are also fast, even on low-powered ARM chips. In Facebook's own tests on a low-end Samsung Galaxy Y smartphone, Conceal performed significantly better than both stock Java cryptography and the Bouncy Castle library.

Graph showing benchmarks of Facebook's Conceal security library

Not just easy, but fast: Conceal can encrypt and decrypt data many times faster than other methods

Conceal offers up these algorithms via a simple API that abstracts away most of the choices that other libraries require developers to make. Pass an I/O stream to Conceal, and Conceal returns a wrapped stream that's automatically decrypted or encrypted as it's read or written.

That means Conceal won't be useful for every encryption application, but it will work for a few use cases that crop up frequently on Android. Foremost, it can be used to encrypt data that's stored on SD cards, which is why Facebook invented it in the first place.

"What many people don't realize is that Android's privacy model treats the SD card storage as a publicly accessible directory," Iyengar wrote. "This allows data to be read by any app (with the right permissions). Thus, external storage is normally not a good place to store private information."

Facebook, obviously, deals with a lot of private information. Thus, the Facebook app for Android doesn't write anything to the SD card without encrypting it with Conceal. It's enough to make one wonder how many other Android apps also encrypt their data – but now they can.

Iyengar says the current version of Conceal is officially supported on Android 2.3 "Gingerbread" and up, although it should also work on Android 2.2 "Froyo" devices. Facebook has released the code as open source under a BSD license, and it's available now on Github, here. ®

HP ProLiant Gen8: Integrated lifecycle automation

More from The Register

next story
That AMAZING Windows comeback: Wow – 0.5% growth in 2015
Whoooah, my face is going all floppy with the speed
'I don't want to go on the cart' ... OpenSSL revived with survival roadmap
Heartbleed-battered crypto library reveals long path back to health
Conformist Google: Android devices must LOOK, WORK ALIKE
Demands watch, TV, and car makers stick to default UI
Linux turns the crank on code for cars
Got a feel for your automobile
Google policy wonk patronises Brits over EU search biz probe
Downgrading rivals? Whetstone: 'I just don't think it's really true'
Chrome Remote Desktop adds Linux to supported OS list
Drive Debian from the confines of a Chromebook
prev story

Whitepapers

Seven Steps to Software Security
Seven practical steps you can begin to take today to secure your applications and prevent the damages a successful cyber-attack can cause.
Consolidation: The Foundation for IT Business Transformation
In this whitepaper learn how effective consolidation of IT and business resources can enable multiple, meaningful business benefits.
The Power of One eBook: Top reasons to choose HP BladeSystem
Only the Power of One delivers leading infrastructure convergence, availability and scalability with federation, and agility through data center automation.
Securing Web Applications Made Simple and Scalable
Learn how automated security testing can provide a simple and scalable way to protect your web applications.
The Essential Guide to IT Transformation
ServiceNow discusses three IT transformations that can help CIO's automate IT services to transform IT and the enterprise.