Feeds

Oi, Android devs! Facebook wants your apps to be more secure

Open source crypto library helps lock down private data

Choosing a cloud hosting partner with confidence

Facebook has released the source code of a software library that's designed to make it easier for developers to implement fast, secure cryptography in their Android apps.

Dubbed Conceal, the library was developed for a limited range of tasks with the specific needs of Android developers in mind, allowing app makers to include encryption without being cryptography experts.

"Unlike other libraries, which provide a wide range of encryption algorithms and options, Conceal prefers to abstract this choice and include sensible defaults," Facebook engineer Subodh Iyengar wrote in a blog post. "We think this makes sense because encryption can be very tricky to get right."

Facebook hasn't tried to write its own crypto code from scratch. Rather, Conceal takes advantage of a number of cherry-picked algorithms from the industry-standard OpenSSL open source library.

By eliminating the parts of OpenSSL it didn't need, however, Facebook managed to slim down its encryption code to a mere 85KB. By comparison, the full OpenSSL library takes up around 1MB when compiled for ARM chips.

The algorithms that Conceal uses are also fast, even on low-powered ARM chips. In Facebook's own tests on a low-end Samsung Galaxy Y smartphone, Conceal performed significantly better than both stock Java cryptography and the Bouncy Castle library.

Graph showing benchmarks of Facebook's Conceal security library

Not just easy, but fast: Conceal can encrypt and decrypt data many times faster than other methods

Conceal offers up these algorithms via a simple API that abstracts away most of the choices that other libraries require developers to make. Pass an I/O stream to Conceal, and Conceal returns a wrapped stream that's automatically decrypted or encrypted as it's read or written.

That means Conceal won't be useful for every encryption application, but it will work for a few use cases that crop up frequently on Android. Foremost, it can be used to encrypt data that's stored on SD cards, which is why Facebook invented it in the first place.

"What many people don't realize is that Android's privacy model treats the SD card storage as a publicly accessible directory," Iyengar wrote. "This allows data to be read by any app (with the right permissions). Thus, external storage is normally not a good place to store private information."

Facebook, obviously, deals with a lot of private information. Thus, the Facebook app for Android doesn't write anything to the SD card without encrypting it with Conceal. It's enough to make one wonder how many other Android apps also encrypt their data – but now they can.

Iyengar says the current version of Conceal is officially supported on Android 2.3 "Gingerbread" and up, although it should also work on Android 2.2 "Froyo" devices. Facebook has released the code as open source under a BSD license, and it's available now on Github, here. ®

Top 5 reasons to deploy VMware with Tegile

More from The Register

next story
Nexus 7 fandroids tell of salty taste after sucking on Google's Lollipop
Web giant looking into why version 5.0 of Android is crippling older slabs
Be real, Apple: In-app goodie grab games AREN'T FREE – EU
Cupertino stands down after Euro legal threats
Download alert: Nearly ALL top 100 Android, iOS paid apps hacked
Attack of the Clones? Yeah, but much, much scarier – report
Microsoft: Your Linux Docker containers are now OURS to command
New tool lets admins wrangle Linux apps from Windows
Bada-Bing! Mozilla flips Firefox to YAHOO! for search
Microsoft system will be the default for browser in US until 2020
prev story

Whitepapers

Why and how to choose the right cloud vendor
The benefits of cloud-based storage in your processes. Eliminate onsite, disk-based backup and archiving in favor of cloud-based data protection.
Getting started with customer-focused identity management
Learn why identity is a fundamental requirement to digital growth, and how without it there is no way to identify and engage customers in a meaningful way.
High Performance for All
While HPC is not new, it has traditionally been seen as a specialist area – is it now geared up to meet more mainstream requirements?
Getting ahead of the compliance curve
Learn about new services that make it easy to discover and manage certificates across the enterprise and how to get ahead of the compliance curve.
Intelligent flash storage arrays
Tegile Intelligent Storage Arrays with IntelliFlash helps IT boost storage utilization and effciency while delivering unmatched storage savings and performance.