Choose your Android crypto

  • Replies:1
  • OpenNot stickiedUnanswered
  • Forum posts: 1

May 23, 2016 5:05:37 PM via Website

When building your next app, you might realize that you need to encrypt the data. There are two main reasons for that:

  • transmitting sensitive data to the server and back
  • storing sensitive data

Even though there is a multitude of tools for that, not all of them are equal. By just taking some random algorithm from javax.crypto and using StackOverflow example to implement it, you will generate results far from desirable. Building your own cryptosystems is hard, and it's very easy to get it wrong.

So, you need to make your choice consciously. How to do that?


Professor vs developer dilemma

When designing data protection, what you will end up with is not just 'algorithm' (the good ones are already invented by professionals and delivered to you in any library), but a cryptosystem - a combination of algorithms, storage formats, protocols, etc. Remember about "the goal"?

Algorithms don't fulfill goals, cryptosystems do. Equally, algorithm weaknesses themselves are not the problem (they could be used in a form, in which their vulnerabilities cannot be exploited), cryptosystem weaknesses are the problem: if they do deliver their guarantees, they're fine, if they don't - they're not.

And this is the basis on which you might want to choose either professor way tools or the developer way tools.

You can learn more on Cossack Labs blog, our article featuring infographic on how to choose cryptographic frameworks when developing Android apps.

  • Forum posts: 251

May 23, 2016 6:08:32 PM via Website

Read your blog article May 23, 2016. More info there and good stuff.