Facebook wants developers to secure Android app data with the Conceal Java Library
Facebook wants developers to secure Android app data with the Conceal Java Library

Facebook has launched Conceal, a new open source library of Java APIs aimed at helping developers secure Android app data that is stored on SD cards within mobile devices.

In order to speed up app performance and reduce network costs for the user, app developers use a process called "caching", whereby app data is stored directly on the smartphone for later access. On phones which have limited internal storage capacity, this data is stored on the removable SD card.

Currently, the Android operating system treats removable SD cards as publicly accessible directories, meaning that any app running on an Android smartphone or tablet can access any data stored on the SD card if it is granted the appropriate permission.

"We saw an opportunity to do things better and decided to encrypt the private data that we stored on the SD card so that it would not be accessible to other apps. To do this efficiently, we built Conceal, a set of Java APIs to perform cryptography on Android and make storage more secure and lightweight," Subodh Iyengar, Facebook software engineer, said on the Engineering Blog.

Security experts have long warned that cybercriminals are switching their focus from PCs to putting malware onto mobile devices, and while there's not much you can achieve with malware on smartphones right now, eventually the industry will face a big problem.

Facebook says that at the moment, encrypting data on a device is tricky as the de facto standard for encryption, AES, can only encrypt a small block of information at a time.

"Developers must choose a mode of AES to encrypt a large file, and selecting the right mode can be tricky. Many instances of vulnerabilities in apps that use encryption come from choosing insecure modes like AES-ECB, and many libraries ask developers to make this choice," Iyengar explained.

Also, in order to make sure that the data is encrypted but also keep it safe, the data has to be encrypted and a Message Authentication Code (MAC) must be computed too, and this whole process takes a long time.

So instead, Facebook's new library uses only selected cryptographic algorithms from OpenSSL to take the size of the encryption down to 85KB, making encryption easier, particularly on smartphones running older versions of the Android OS, and also making it easier to fix security vulnerabilities in OpenSSL.

"We think this makes sense because encryption can be very tricky to get right," said Iyengar.

Developers can download the Conceal Java Library on Facebook's Github page.