The Hacker News Logo
Subscribe to Newsletter

Facebook releases 'Conceal' API for Android developers to Encrypt data on Disk

Many Smartphone applications support, installation or app data storage to an external SD Card, that can be helpful in saving space on the internal memory, but also vulnerable to hackers.

Typically, an app that has permission to read and write data from an SD card has the permission to read all data on that card, including information written by other apps. This means that if you install a malicious application by mistake, it can easily steal any sensitive data from your Phone's SD Card.

To prevent the data from being misused by any other app, the best implementation is to encrypt the data, but that will drop the performance of the device.

On its 10th birthday, as a treat for mobile developers, Facebook has unveiled the source code of its Android security tool called 'Conceal' cryptographic API Java library, that will allow app developers to encrypt data on disk in the most resource efficient way, with an easy-to-use programming interface.

Smaller than other cryptography standards and built for speed, the Conceal might end up the best solution. "We saw an opportunity to do things better and decided to encrypt the private data that we stored on the SD card so that it would not be accessible to other apps" Facebook Software Engineer said in a blog post.
The tool is based on algorithms from OpenSSL, a common open source encryption system for the web:
"Conceal doesn't implement any crypto. Instead, it uses specific cryptographic algorithms from OpenSSL. OpenSSL's crypto library is about 1MB when built for armv7. By using only the parts of OpenSSL we needed, we were able to reduce the size of OpenSSL to 85KB. We believe providing a smaller library will reduce the friction of adopting state of the art encryption algorithms, make it easier to handle different Android platform versions, and enable us to quickly incorporate fixes for any security vulnerabilities in OpenSSL as well."
Conceal is smaller and faster than existing Java crypto libraries, uses AES-GCM, an authenticated encryption algorithm that helps to detect any potential tampering with data. "We instead use AES-GCM which is an authenticated encryption algorithm that not only encrypts the data, but also computes a MAC of the data at the same time." he said.

The library also provides resources for storing and managing keys to protect against known weaknesses in the Android's random number generator. Conceal officially supports Android 2.3 and higher (Gingerbread). It will run on 2.2 (Froyo) phones as well.

The company is already using the tool with the primary Facebook app that runs on Android. Developers can access the Conceal API from GITHUB.

Have something to say about this article? Comment below or share it with us on Facebook, Twitter or our LinkedIn Group.
SHARE
Comments
Latest Stories
Best Deals

Newsletter — Subscribe for Free

Join over 500,000 information security professionals — Get the best of our cyber security coverage delivered to your inbox every morning.