This article is meant to be a collection of things I found useful to know while building an encryption layer within an Android app. If you have anything to contribute or to correct please let me know and I’ll make updates accordingly

Before proceeding I highly recommend reading Yakiv Mospan’s article on Android security. I found it to be an excellent foundation for getting started on encryption in Android. *Note that as of writing this there will be some overlap with Yakiv Mospan’s blog post as he is still updating it.

1. Things to avoid

Avoid using ECB block chain (which is applied by default unless specified otherwise) when using Symmetric AES ciphers for encryption. Use GCM or CBC block chaining methods instead. ECB is insecure as it does not output unique encryptions when given duplicate data (See ECB Penguin for a visual explanation).

Do

Cipher.getInstance("AES/GCM/NOPADDING");

Don’t (will apply ECB by default)

Cipher.getInstance("AES");

Don’t use hard coded values for cipher initialization. Integrity of the cipher is compromised if it isn’t given unique information for every operation. Provide a SecureRandom to the init method of ciphers as the default values may not be random for older versions.

Do

SecureRandom secureRandom = new SecureRandom();

byte[] iv = new byte[IV_LENGTH];

secureRandom.nextBytes(iv);

myCipher.init(Cipher.ENCRYPT_MODE, key, new IvParameterSpec(iv));

Don’t