Feeds

Oi, Android devs! Facebook wants your apps to be more secure

Open source crypto library helps lock down private data

Top 5 reasons to deploy VMware with Tegile

Facebook has released the source code of a software library that's designed to make it easier for developers to implement fast, secure cryptography in their Android apps.

Dubbed Conceal, the library was developed for a limited range of tasks with the specific needs of Android developers in mind, allowing app makers to include encryption without being cryptography experts.

"Unlike other libraries, which provide a wide range of encryption algorithms and options, Conceal prefers to abstract this choice and include sensible defaults," Facebook engineer Subodh Iyengar wrote in a blog post. "We think this makes sense because encryption can be very tricky to get right."

Facebook hasn't tried to write its own crypto code from scratch. Rather, Conceal takes advantage of a number of cherry-picked algorithms from the industry-standard OpenSSL open source library.

By eliminating the parts of OpenSSL it didn't need, however, Facebook managed to slim down its encryption code to a mere 85KB. By comparison, the full OpenSSL library takes up around 1MB when compiled for ARM chips.

The algorithms that Conceal uses are also fast, even on low-powered ARM chips. In Facebook's own tests on a low-end Samsung Galaxy Y smartphone, Conceal performed significantly better than both stock Java cryptography and the Bouncy Castle library.

Graph showing benchmarks of Facebook's Conceal security library

Not just easy, but fast: Conceal can encrypt and decrypt data many times faster than other methods

Conceal offers up these algorithms via a simple API that abstracts away most of the choices that other libraries require developers to make. Pass an I/O stream to Conceal, and Conceal returns a wrapped stream that's automatically decrypted or encrypted as it's read or written.

That means Conceal won't be useful for every encryption application, but it will work for a few use cases that crop up frequently on Android. Foremost, it can be used to encrypt data that's stored on SD cards, which is why Facebook invented it in the first place.

"What many people don't realize is that Android's privacy model treats the SD card storage as a publicly accessible directory," Iyengar wrote. "This allows data to be read by any app (with the right permissions). Thus, external storage is normally not a good place to store private information."

Facebook, obviously, deals with a lot of private information. Thus, the Facebook app for Android doesn't write anything to the SD card without encrypting it with Conceal. It's enough to make one wonder how many other Android apps also encrypt their data – but now they can.

Iyengar says the current version of Conceal is officially supported on Android 2.3 "Gingerbread" and up, although it should also work on Android 2.2 "Froyo" devices. Facebook has released the code as open source under a BSD license, and it's available now on Github, here. ®

Providing a secure and efficient Helpdesk

More from The Register

next story
Google+ goes TITSUP. But WHO knew? How long? Anyone ... Hello ...
Wobbly Gmail, Contacts, Calendar on the other hand ...
Preview redux: Microsoft ships new Windows 10 build with 7,000 changes
Latest bleeding-edge bits borrow Action Center from Windows Phone
Microsoft promises Windows 10 will mean two-factor auth for all
Sneak peek at security features Redmond's baking into new OS
UNIX greybeards threaten Debian fork over systemd plan
'Veteran Unix Admins' fear desktop emphasis is betraying open source
Google opens Inbox – email for people too stupid to use email
Print this article out and give it to someone techy if you get stuck
DEATH by PowerPoint: Microsoft warns of 0-day attack hidden in slides
Might put out patch in update, might chuck it out sooner
Redmond top man Satya Nadella: 'Microsoft LOVES Linux'
Open-source 'love' fairly runneth over at cloud event
prev story

Whitepapers

Cloud and hybrid-cloud data protection for VMware
Learn how quick and easy it is to configure backups and perform restores for VMware environments.
A strategic approach to identity relationship management
ForgeRock commissioned Forrester to evaluate companies’ IAM practices and requirements when it comes to customer-facing scenarios versus employee-facing ones.
High Performance for All
While HPC is not new, it has traditionally been seen as a specialist area – is it now geared up to meet more mainstream requirements?
Three 1TB solid state scorchers up for grabs
Big SSDs can be expensive but think big and think free because you could be the lucky winner of one of three 1TB Samsung SSD 840 EVO drives that we’re giving away worth over £300 apiece.
Security for virtualized datacentres
Legacy security solutions are inefficient due to the architectural differences between physical and virtual environments.