Why should I use care about this?
As the Android platform gains popularity, it will become an attractive target for malware developers. Malware and Spyware put user's data at risk. We believe that safeguarding user's data against spyware and malware is very important for user trust.At Facebook, we've been using Conceal for a while now to encrypt data on SD cards. We think that other developers also believe in this goal, however are deterred by the impact of encryption on old phones. We've released this library so that every app can protect user data in an efficient manner. We also want to get the community involved to further improve the security and efficiency this library.
How can I contribute?
We're actively looking for contributions to the project on Github. Feel free to submit an issue or pull request.
How can I reproduce these benchmark results?
The benchmarks we've shown compare the Android system
provided libraries (AES-CTR-HMAC-SHA1, since it doesn't provide GCM),
Bouncycastle (AES-GCM) and Conceal (AES-GCM) run on a Galaxy Y.
Our benchmarks are written using the
and can be reproduced on real devices with the help of
To run the benchmarks you must have BUCK installed as a pre-requisite. Connect your device to your computer and then you can then invoke the benchmarks from our repo.
For example, to invoke the read benchmark for a 100KB plaintext load, you can use:
./benchmarks/run \ benchmarks/src/com/facebook/crypto/benchmarks/CipherReadBenchmark.java \ -- -Dsize=102400
Why aren't you using the OpenSSL version provided by Android?
Conceal makes use of AES-GCM mode which is not available on the versions of OpenSSL that ship with old Android phones. The major issue with the stock OpenSSL is just too large for any app to even consider including it in an APK. By shipping only certain encryption libraries of OpenSSL we reduce the size of the compiled binary and can also support Android versions from Froyo. The size of the armeabi-v7a version is 85KB.
Can I build a version with only the encryption libraries of OpenSSL on my own?
Here's build instructions to do it yourself.
I think found a bug. How can I report it?
We would really appreciate if you could either submit an issue or even better submit a pull request on Github.
I think found a security vulnerability. How can I report it?
We appreciate responsible disclosures of security vulnerabilities via our Whitehat program.