Using cryptography libraries

One of the great things about Android using Java as the core programming language is that it includes the Java Cryptographic Extensions (JCE). JCE is a well-established, tested set of security APIs. Android uses Bouncy Castle as the open source implementation of those APIs. However, the Bouncy Castle version varies between Android versions; and only the newer versions of Android get the latest fixes. That's not all in an effort to reduce the size of Bouncy Castle; Android customizes the Bouncy Castle libraries and removes some of the services and APIs. For example, if you intend on using Elliptic Curve Cryptography (ECC ), you will see provider errors when running it on Android versions below 4.0. Also, although Bouncy Castle supports the AES-GCM scheme (which we'll cover in the next recipe), you cannot use this in Android without including it separately.

To solve this, we can include an application-specific implementation of cryptographic libraries. This recipe will show you how to include the Spongy Castle library, which provides a higher level of security given that it is more up-to-date as compared to Android's Bouncy Castle implementation and supports more cryptographic options.

You may be wondering "why use Spongy Castle and not just include the Bouncy Castle libraries". The reason is that Android already ships with an older version of the Bouncy Castle libraries, and so we need to rename the package of this library to avoid "classloader" conflicts. So, Spongy Castle is a repackaging of Bouncy Castle. In fact, the package name could be whatever you wanted as long as it differs from org.bouncycastle.

How to do it...

Let's add Spongy Castle to our Android application.

  1. Download the latest Spongy Castle binaries from https://github.com/rtyley/spongycastle/#downloads.

    Review the MIT X11 License (same as Bouncy Castle) to ensure that this is compatible with how you intend to use it.

  2. Extract and copy the Spongy Castle .jar files in your application's /libs directory:
    • sc-light-jdk15on: Core lightweight API
    • scprov-jdk15on: JCE provider (requires sc-light-jdk15on)
  3. Include the following static code block in your Android Application object:
    static {
      Security.insertProviderAt(new org.spongycastle.jce.provider.BouncyCastleProvider(), 1);
    }

How it works...

We use the static code block to call Security.insertProviderAt(). It ensures that the Spongy Castle provider that we have bundled in our application's /libs folder is used in preference. By setting the position as 1, we ensure that it gets preference over the existing security providers.

The beauty of using Spongy Castle with the JCE is that no modification to the existing encryption code is needed. Throughout this chapter, we show samples of an encryption code that works equally well with either Bouncy Castle or Spongy Castle.

There's more...

As mentioned, the code is available for download from GitHub; however, it is possible to build your own version. Roberto Tyley, the owner of the Spongy Castle repository, has included the become-spongy.sh bash script that does the renaming of com.bouncycastle to com.spongycastle. Therefore, you can use it on your own freshly downloaded and up-to-date version of the Bouncy Castle library, and convert it to org.spongycastle or something equally cute and catchy.

Note

The become-spongy.sh bash script is available at https://gist.github.com/scottyab/8003892

See also

..................Content has been hidden....................

You can't read the all page of ebook, please click here login for view all page.
Reset
18.191.189.129