Facebook releases Conceal, an efficient library for encrypted storage on Android
Facebook Engineering has released a new encryption library, Conceal, for Android which is designed to encrypt data quickly without using too much system memory. On lower end Android devices resources like system memory, processor power and internal storage are often at a premium. This means that data often needs to be written to the phones expandable storage, i.e. the SD card. The problem with SD cards is that they can be removed and the data copied and used. If the data written there isn’t encrypted then you have a security risk.
Facebook currently uses Conceal in its Android app to encrypt image files for storage on SD cards. This allows the app to access more storage if needed while protecting the user’s privacy. By releasing the library as open source Facebook wants to encourage other app developers to take user privacy seriously and is giving them a tool that will help.
One key difference between Conceal and any of the other gazillion encryption libraries that exist, is that this library does just one job, therefore it doesn’t give developers a multitude of options to choose from. Rather the way the data is encrypted is fixed (using AES-GCM, an authenticated encryption algorithm) and Android’s random number generator is bypassed due to security concerns about it strength.
An authenticated encryption algorithm is one which ensures the integrity of the data by generating the Message Authentication Code (MAC) on the fly, while the data is being encrypted. In simple terms a MAC is like a checksum, the authentication code generated and the data should match up during the decryption process. If they don’t then it means that someone has been tampering with the data.
Speed is also an important element. Facebook’s testing shows that Conceal is around five times faster than the popular Bouncycastle encryption library.
Conceal officially supports Android 2.3 and higher (Gingerbread) and the documentation along with the source code can be found on Facebook’s Github. For those interested, Subodh Lyengar has some more technical details about Conceal on the Facebook Engineering blog.