Development Update – August 19th, 2018

Over the past week, we implemented the security class responsible for the encryption and decryption of data (sensitive) in TNSMoney Android.

Supported Devices

Due to the limitations of some old android devices, the minimum supported android version will be 4.4 (API 19) or Kikat. Android API version 19+  enables the app to store larger encryption data keys (up to RSA 4096) in android keystore.

Algorithm & Storage Techniques

Implementing data encryption below Android API 23 (Marshmallow) can be a little challenging since versions below Marshmallow supports fewer modern encryption algorithms in the keystore.

In order to support older android versions, we adopted a double encryption method  comprising of both Symmetric and Asymmetric algorithms.

Before any data is encrypted on TNSMoney, an asymmetric keyPair (Public & Private Key) is created (if not available) using the RSA algorithm (  RSA/ECB/PKCS1Padding for devices below Android API 23  and RSA/ECB/OAEPWithSHA-256AndMGF1Padding for Android API 23+   cipher transformation mode). This will enable the app support encryption for older devices ranging from android Kitkat to the latest versions.

The created asymmetric keypair will be used to encrypt and decrypt a secondary key which will be responsible for the actual data encryption and decryption. This method was adopted because older android versions supported only asymmetric algorithm keystore. Android OS will securely handle the storage  and management of the generated asymmetric keypair keeping it isolated from the system process.

The actual data encryption and decryption will be handled with a symmetric method of encryption using the AES algorithm and AES/GCM/NoPadding cipher transformation mode. During this time, the app will generate a secure random key which will then be encrypted and saved into androidKeyStore. This key will be used to handle all the symmetric encryption and decryption operations.

The Symmetric encryption method was adopted because it will enable the app encrypt larger data at once. Symmetric encryption is natively not supported on older android versions, so we had to use the BouncyCastle API through the SpongyCastle library.

The Crypt class has been pushed to the TNSMoney github repository :

Leave a Reply