Secure your app’s data with JetSec Monika Kumar Jethani 

About Me Monika is an Android developer with 6 years of experience in mobile application development. She is a regular Android/Kotlin speaker at mobile development conferences/meetups. Last, but not the least, she shares her birthday with Java :) Twitter handle: @monika_jethani 

Agenda • Need for Encryption • Challenges with Encryption • Intro to JetSec • Double layer security model • Android Keystore and Master Key • Encrypting Files • Encrypting Shared Preferences • Demo • Overview of Tink • What’s new in JetSec 

Need for encryption • To protect data in shared storage. • To protect sensitive data like personally identifiable information (PII), personal health information(PHI), financial details, enterprise data, etc. • To protect data on a rooted device, even with full-disk encryption. • To prevent the users from accessing tokens and keys used in your app. 

Challenges with Encryption 

I don’t know the different encryption algorithms and the differences between them. How can I do encryption of data in my app? 

JetSec The Jetpack Security library provides an implementation of the security best practices related to reading and writing data at rest, as well as key creation and verification. Source: developer.android.com 

JetSec Features • Key creation and storage • Encryption Operations • Supported from API levels 23+ • Allows you to locally protect files that may contain sensitive data, API keys, OAuth tokens, and other types of secrets. • Apt for consumer apps such as banking and chat apps as well as enterprise apps. • Provides great encryption as well as good performance. • Apt for apps that require a hardware-backed keystore and user presence for providing key access. 

Getting started with JetSec implementation "androidx.security:security-crypto:1.0.0-rc03" 

Double layer Security Model • Keyset - It contains one or more keys to encrypt a file or shared preferences. It is stored in SharedPreferences. • A Master(Primary) key - It encrypts all keysets that are used for each cryptographic operation. This key is stored in Android keystore, making it difficult to extract. 

Android Keystore • Hardware-backed • Stores cryptographic keys, making them hard to extract. • Stores keys in a trusted execution environment or StrongBox. • To allow JetSec to store keys in StrongBox, we need to enable a flag. 

Master Key val masterKeyAlias = MasterKeys.getOrCreate(MasterKeys.AES256_GCM_SPEC) 

Custom Key val keySpecifications = KeyGenParameterSpec.Builder( "keystore_alias", KeyProperties.PURPOSE_ENCRYPT ).apply { setKeySize(256) setBlockModes(KeyProperties.BLOCK_MODE_GCM) setEncryptionPaddings(KeyProperties.ENCRYPTION_PADDING_NONE) }.build() val masterKey = MasterKeys.getOrCreate(keySpecifications) 

Add-ons for Key Creation val advancedSpec = KeyGenParameterSpec.Builder( "master_keystore_alias", KeyProperties.PURPOSE_ENCRYPT or KeyProperties.PURPOSE_DECRYPT ).apply { setBlockModes(KeyProperties.BLOCK_MODE_GCM) setEncryptionPaddings(KeyProperties.ENCRYPTION_PADDING_NONE) setKeySize(256) setUserAuthenticationRequired(true) setUserAuthenticationValidityDurationSeconds(15) // must be larger than 0 if (Build.VERSION.SDK_INT >= Build.VERSION_CODES.P) { setUnlockedDeviceRequired(true) setIsStrongBoxBacked(true) } }.build() val masterKeyAlias = MasterKeys.getOrCreate(advancedSpec) 

Encrypting Files • Uses EncryptedFile class. • Provides custom implementations of FileInputStream and FileOutputStream. • Uses the Streaming Authenticated Encryption with Associated Data (AEAD) primitive of Tink. • Facilitates secure reading and writing operations. 

Creating an Encrypted File val encryptedFile = EncryptedFile.Builder( secretFile, context, masterKeyAlias, EncryptedFile.FileEncryptionScheme.AES256_GCM_HKDF_4KB) .build() 

Reading and Writing to EncryptedFile encryptedFile.openFileOutput().bufferedWriter().use { bufferedWriter -> // Writing some data.. } encryptedFile.openFileInput().bufferedReader().useLines { lines -> // Reading data.. } 

Encrypting Shared Preferences • Uses EncryptedSharedPreferences class. • Wrapper around SharedPreferences class. • Encrypts keys and values using two-stream method, 1. Keys are encrypted deterministically. 2. Values are encrypted non-deterministically using AES-256 GCM. 

Creating an Encrypted SharedPreference val sharedPreferences = EncryptedSharedPreferences.create( "encrypted_shared_prefs", //filename masterKeyAlias, context, EncryptedSharedPreferences.PrefKeyEncryptionScheme.AES256_SIV, EncryptedSharedPreferences.PrefValueEncryptionScheme.AES256_GCM) 

Writing to EncryptedSharedPreferences sharedPreferences.edit() .putString(SHARED_PREFERENCES_KEY, data.text.toString()) .apply() 

Demo of Encrypting and Decrypting Shared Preferences data 

No content

Contents of Shared Preferences file after encryption 

What does JetSec use under the hood? • JetSec uses Tink under the hood. • Tink is an open-source, cross-platform security project from Google. • https://github.com/google/tink • Provides cryptographic APIs that are secure, easy to use, harder to misuse. 

Features of Tink • Key Rotation • Message Signing • Hybrid Encryption • MAC • Google Cloud Key support • Create you own primitives 

What’s new in JetSec? • Lollipop(API 21+) is now supported • MasterKeys class has become deprecated and a new MasterKey class has come into picture to support new features and new versions of Android that don’t have KeyGenParameterSpec. 

https://issuetracker.google.com/issues/new?component=618647&template=1257270 

Thank you For queries, write to me at twitter @monika_jethani