One of the great things about Android using Java as the core programming language is that it includes the Java Cryptographic Extensions (JCE). JCE is a well-established, tested set of security APIs. Android uses Bouncy Castle as the open source implementation of those APIs. However, the Bouncy Castle version varies between Android versions; and only the newer versions of Android get the latest fixes. That's not all in an effort to reduce the size of Bouncy Castle; Android customizes the Bouncy Castle libraries and removes some of the services and APIs. For example, if you intend on using Elliptic Curve Cryptography (ECC ), you will see provider errors when running it on Android versions below 4.0. Also, although Bouncy Castle supports the AES-GCM scheme (which we'll cover in the next recipe), you cannot use this in Android without including it separately.
To solve this, we can include an application-specific implementation of cryptographic libraries. This recipe will show you how to include the Spongy Castle library, which provides a higher level of security given that it is more up-to-date as compared to Android's Bouncy Castle implementation and supports more cryptographic options.
You may be wondering "why use Spongy Castle and not just include the Bouncy Castle libraries". The reason is that Android already ships with an older version of the Bouncy Castle libraries, and so we need to rename the package of this library to avoid "classloader" conflicts. So, Spongy Castle is a repackaging of Bouncy Castle. In fact, the package name could be whatever you wanted as long as it differs from org.bouncycastle.
Let's add Spongy Castle to our Android application.
- Download the latest Spongy Castle binaries from https://github.com/rtyley/spongycastle/#downloads.
Review the MIT X11 License (same as Bouncy Castle) to ensure that this is compatible with how you intend to use it.
- Extract and copy the Spongy Castle
.jarfiles in your application's/libsdirectory:sc-light-jdk15on: Core lightweight APIscprov-jdk15on: JCE provider (requiressc-light-jdk15on)
- Include the following
staticcode block in your Android Application object:static { Security.insertProviderAt(new org.spongycastle.jce.provider.BouncyCastleProvider(), 1); }
We use the static code block to call Security.insertProviderAt(). It ensures that the Spongy Castle provider that we have bundled in our application's /libs folder is used in preference. By setting the position as 1, we ensure that it gets preference over the existing security providers.
The beauty of using Spongy Castle with the JCE is that no modification to the existing encryption code is needed. Throughout this chapter, we show samples of an encryption code that works equally well with either Bouncy Castle or Spongy Castle.
As mentioned, the code is available for download from GitHub; however, it is possible to build your own version. Roberto Tyley, the owner of the Spongy Castle repository, has included the become-spongy.sh bash script that does the renaming of com.bouncycastle to com.spongycastle. Therefore, you can use it on your own freshly downloaded and up-to-date version of the Bouncy Castle library, and convert it to org.spongycastle or something equally cute and catchy.
Note
The become-spongy.sh bash script is available at https://gist.github.com/scottyab/8003892
- The Generating a symmetric encryption key and Password-based encryption recipes demonstrate using the JCE APIs
- The Spongy Castle GitHub repository at http://rtyley.github.io/spongycastle/#downloads
- The Bouncy Castle home page at http://www.bouncycastle.org/java.html
- The Using the Java Cryptographic Extensions OWASP community page at https://www.owasp.org/index.php/Using_the_Java_Cryptographic_Extensions