Producing secure cryptographic code has never been easy, especially for developers cranking out smartphone apps on tight deadlines. Now, Facebook engineers hope to ease the pain with an open-source tool that automates some of the more difficult tasks.

Conceal, as the code library has been dubbed, provides a set of easy-to-use programming interfaces for securely storing sensitive app data on an Android-based smartphone's secure digital (SD) card. Using an SD card to stash authentication tokens and similar data helps speed up bandwidth- and resource-constrained mobile apps, but it often comes at a cost. Android designates SD cards as a public resource, a design that allows other apps to access the same files. That means developers who want to improve the performance of their apps have frequently struggled to secure SD-residing data so it can't be accessed by other programs.

"Many develop one-off solutions themselves," Facebook software engineer Subodh Iyengar told Ars. "One objective of releasing Conceal is to enable other developers to quickly get up and running. We also believe that libraries get better with contributions and feedback from the community, and the community support can help improve the performance and security of this library."

He said cryptographically enabled apps developed with Conceal run significantly faster than those developed with other libraries. Some open-source benchmarks, for instance, showed that Conceal took well under 50 milliseconds to read or write encrypted data, compared with 150 milliseconds to 250 milliseconds for apps developed with Java or BouncyCastle.

Selecting the right cryptography settings can be challenging. Even when developers choose the industry standard Advanced Encryption Standard (AES), they still must pick a mode that's both quick and secure. AES modes such as ECB frequently undermine a developer's best intentions by introducing vulnerabilities that may make it possible for attackers to break the encryption. Conceal presents developers with a set of best practices by default. For instance, it uses the GCM mode of AES to ensure that data is not only encrypted but also authenticated so it can't be tampered with.

The library also provides resources for storing and managing keys to protect against known weaknesses in Android's random number generator. As Ars reported in August, the weakness in Android's SecureRandom function was exploited to pilfer about $5,720 worth of bitcoins out of a digital wallet and could affect as many as 360,000 apps. Conceal provides a default way to store keys using Android's SharedPreferences resource that helps to transparently mitigate the vulnerability.

Like most good crypto code, the libraries contained in Conceal don't implement any custom cryptography. Instead, they use algorithms included in the OpenSSL library. The OpenSSL code included in Conceal has been carefully chosen to ensure that it's lightweight, coming in at just 85 kilobytes in size. Iyengar has more about Conceal here. The code is here.