Reprint: Mobile app encryption tool parsing

The popularization of mobile Internet, more and more mobile applications into the security door, a variety of information leaks, theft number of the storm endless. More and more hackers are eyeing the mobile application, and the SD card in clear-text stored in the personal information, the database unencrypted stored user name and password, collected analysis and sent to the remote server in plaintext, which makes the hacker attack easier.

Using the Cryptography tool correctly protects our sensitive data and ensures privacy and data integrity. On the other hand, encryption is hard to use and easy to misuse. This is the recommended encryption tool for mobile applications.

Bouncy Castle

Legion of the bouncy castle is a charity group from Australia that has written bouncy castle, a widely used class library. The library provides both a lightweight cryptographic API and a provider of Java password extensions. The Android platform already has a streamlined old version of bouncy Castle (and some minor changes to fit the Android platform). The result is that any attempt to build and use the latest version of the Bouncycastle class library in your application will cause class load conflicts.

spongy Castle

The motivation behind Spongycastle is to allow Android developers to use any version of the Bouncycastle class library in their applications. Spongycastle is simply repackaging the latest version of Bouncycastle, all org.bouncycastle.* packages renamed in order to Org.spongycastle.*, The name of all Java Security API providers is changed from BC to SC.

OpenSSL

OpenSSL is an open source toolkit that implements the SSL and TLS protocols as well as the common password vault. OpenSSL has been ported to many platforms, including Android. As an alternative, you can also build from the source code and then bind to the application. These toolkits do not implement any fancy encryption capabilities, nor do they attempt to replace any of the aforementioned cryptography libraries, instead they are built on these class libraries, with the sole purpose of making it easier and more secure to use encryption.

In contrast to the common cryptography library, these toolkits typically support only a subset of algorithms, patterns, structures, and parameters. For the parts that the universal encryption tool needs to set, these toolkits provide you with a reasonable default value in case you know what you want, but you don't know how to use it, or you only care about a safe solution at the end. Let's examine a few of these toolkits to better understand their running rules.

Keyczar

Keyczar is a set of open source Toolkit, originally developed by two Google security team members, implemented in the Java,python and C + + languages, and supports both symmetric encryption and fee-heap encryption authentication. Keyczar provides secure default settings, including algorithms, secret key lengths and patterns, key loops and versioning, automatic generation of initial vectors and authorization codes, and internationalization support. The toolkit is built on JCE and uses the spongy castle security provider.

aerogear Crypto

Aerogear Crypto is a small Java library provided by Aerogear. It supports authenticated symmetric encryption, elliptic curve encryption, and password-based key derivation. It also provides an explicit setting for the algorithm. Aerogear Crypto relies on spongy Castle on the Android platform and relies on bouncy Castle on other platforms. The library is also available on iOS, Windows phone, and Cordova.

Conceal

To enable the encryption and authentication of large files on SD cards quickly and with little memory, Facebook has developed conceal. The conceal can be either authenticated or encrypted, while the Key management feature is provided by default. It uses OpenSSL, but only contains the part that it needs, so it is only 85KB in size. The results published on the conceal site show that it is better than bouncy Castle.

The following table summarizes the cryptographic libraries described above. All of the libraries described above can securely encrypt the encryption of new users, but advanced developers can not use these default practices and can specify all cryptographic details as they wish (as if they were using other cryptographic libraries). What needs to be put forward is that the novice in the encryption of this security link, you can use the mobile app encryption services, such as Love encryption, cloud security, etc., can effectively and comprehensively protect the mobile application security.

Encrypt Library	Development company	License
Aerogear Crypto	Aerogear	Apache 2.0
Conceal	Facebook	Bsd
Keyczar	——	Apache 2.0

If you're a mobile app developer, you'll have to take the time and effort to make your app easy to use, feature-rich and eye-catching, but don't forget to improve the security of your app. If you don't know how to get started, or worry about doing something wrong, choose one of the toolkits mentioned in this article so that you can start. Regardless of which encryption tool you decide to use, you should avoid implementing cryptographic algorithms and encryption protocols. Only those widely used, universally accepted, tested algorithms and protocols should be used.

Original link: Http://t.cn/RLqlAYB

Reprint: Mobile app encryption tool parsing