Without doubt, security is an essential issue in Android application development; however, accomplishing all tasks correctly could be tricky. At Google IO/2019, Google introduced the Jetpack Security library, which aims to address some significant issues in Android security to ease the process of making apps more secure. This essay seeks to discuss some features in Android Jetpack Security in Android app development.
毫无疑问,安全性是Android应用程序开发中必不可少的问题。 但是,正确完成所有任务可能很棘手。 在Google IO / 2019上,Google引入了Jetpack安全性库,该库旨在解决Android安全性中的一些重要问题,以简化使应用程序更安全的过程。 本文旨在讨论Android应用程序开发中Android Jetpack Security的某些功能。
概述与介绍 (Overview and Introduction)
Even though the Android operating system is extremely secure and we have separate file-based encryption system, there are some vital reasons for consideration as below:
尽管Android操作系统非常安全,并且我们有单独的基于文件的加密系统,但仍需要考虑以下一些重要原因:
- If you have built an Android app that has been running on a rooted or compromised device, the file system is unlocked when the user is actively on the device. This means that even though you have full disk encryption, the data would be available for an attacker or someone that has an access to the device. 如果您构建的Android应用程序已在有根或受感染的设备上运行,则当用户活跃在设备上时,文件系统将被解锁。 这意味着即使您已对磁盘进行了全盘加密,攻击者或有权访问该设备的人也可以使用该数据。
- Probably, you have sensitive data that you do not want to allow to a user to observe. Therefore, if you have such as API keys and tokens, you probably do not want those leaked. Technically, when they can access to those sensitive data, they could start pretending to be you, and using your quota for their purposes as well. 可能您有不想让用户观察的敏感数据。 因此,如果您拥有诸如API密钥和令牌之类的令牌,则可能不希望这些泄漏。 从技术上讲,当他们可以访问那些敏感数据时,他们可能会冒充您,并以您的配额为目的。
At Google IO/2019, Google introduced the new Jetpack Security library, which aims to solve some significant issues in Android security like those problems that are mentioned before. Jetpack Security provides an abstraction over security. In fact, it is a wrapper around primitives that are built into the platform. As a result, it makes encrypting files and shared preferences more effectively. There are three main features that Jetpack Security provides for you as follows: Key management, File encryption, and SharedPreferences encryption.
在Google IO / 2019上,Google引入了新的Jetpack安全性库,该库旨在解决Android安全性中的一些重要问题,例如前面提到的那些问题。 Jetpack Security提供了对安全性的抽象。 实际上,它是一个包装器 围绕平台中内置的原语。 结果,它使加密文件和共享首选项更加有效。 Jetpack Security为您提供了三个主要功能,如下所示: 密钥管理 , 文件加密和SharedPreferences加密 。
The Security library, part of Android Jetpack, provides an implementation of the security best practices related to reading and writing data at rest, as well as key creation and verification.
安全性库是Android Jetpack的一部分,可提供与静态数据读写有关以及密钥创建和验证相关的安全性最佳实践的实现。
Basically, this library uses the builder pattern to create safe default settings for the following security levels:
基本上,该库使用构建器模式为以下安全级别创建安全的默认设置:
- Strong security that make balances between noticeable encryption and acceptable performance. This level of security is appropriate for consumer apps such as banking and chat apps. 强大的安全性在显着的加密和可接受的性能之间取得平衡。 此安全级别适用于银行和聊天应用程序等消费类应用程序。
2. Maximum security. This level of security is appropriate for applications that need a hardware-backed key-store and user presence for supporting key access.
2.最大的安全性。 此安全级别适用于需要硬件支持的密钥存储和需要用户存在以支持密钥访问的应用程序。
Initially, AndroidX Security is using the Tink library under the hood. Tink is an open-source crypto library created by Google that provides cryptographic APIs. Additionally, we have two kinds of data that an Android app should protect: Data at rest and data in transit. Data in transit is data that is actively moving through the network; for instance, when you are transferring data from the device’s local storage to cloud storage. Data at rest is data that is not actively moving like data stored locally on your device. In most cases, data at rest is a much more precious target to obtain in comparison with data in transit. So, Android Jetpack Security currently supports data at rest.
最初, AndroidX Security在后台使用Tink库。 Tink是Google创建的一个开放源代码加密库,提供了加密API。 另外,我们有两种数据的Android应用应该保护: 静态数据和传输中的数据。 传输中的数据是通过网络主动移动的数据。 例如,当您将数据从设备的本地存储传输到云存储时。 静态数据是不会主动移动的数据,就像设备上本地存储的数据一样。 在大多数情况下,与传输中的数据相比,静态数据是更宝贵的目标。 因此, Android Jetpack Security当前支持静态数据。
安装 (Installation)
To use this library in your Android app (It is available for Android version 6.0 or higher), all you need to do is adding this line of code to the app’s Gradle file:
要在您的Android应用中使用此库(Android 6.0或更高版本可用),您需要做的就是将以下代码行添加到应用的Gradle文件中:
dependencies {
implementation "androidx.security:security-crypto:1.0.0-rc02"
}
Also, you must add the Google Maven repository to your project for using the library.
另外,您必须将Google Maven存储库添加到项目中才能使用库 。
密钥管理 (Key Management)
Fundamentally, the Android Key-store system allows to you store cryptographic keys in a container to make it much more difficult to extract from the Android device. Key-store very similar to a map where you have a description of a key for each key you have, and also all keys in Android Key-store have an alias.. Notwithstanding the fact that your app has access to the keys, it does not know what the key content is. Besides, it provides facilities to restrict when and how keys can be used such as requiring user authentication for key use, or restricting keys to be used only in certain cryptographic modes. By using Jetpack Security, you can be able to store your key in the Android Key-store via using the MasterKeys class efficiently and easily. This class allows you to use key-store keys out of the box. MasterKeys class uses a popular recommended standard, which is called Advanced Encryption Standard (AES). In other words, it is one of the most important secure methods that you can use on Android.
从根本上讲,Android密钥存储系统允许您将加密密钥存储在容器中,这使得从Android设备提取密码变得更加困难。 密钥库与地图非常相似,在地图中您对每个密钥都有一个密钥描述,并且Android密钥库中的所有密钥都有一个别名。尽管您的应用可以访问这些密钥,但它确实不知道关键内容是什么。 此外,它提供了限制何时和如何使用密钥的功能,例如要求用户进行身份验证才能使用密钥,或者限制仅在某些加密模式下使用密钥。 通过使用Jetpack Security,您可以通过使用MasterKeys类轻松高效地将密钥存储在Android密钥存储区中。 此类允许您直接使用密钥存储密钥。 MasterKeys类使用流行的推荐标准,称为高级加密标准(AES)。 换句话说,它是您可以在Android上使用的最重要的安全方法之一。
In addition, the Security library uses two types of key for key management concept as below:
此外,安全性库将两种类型的密钥用于密钥管理概念,如下所示:
A key-set that includes one or more keys to encrypt a file or shared preferences data. The key-sets are encrypted and stored in the shared preferences.
一种密钥集 ,包括一个或多个用于加密文件或共享首选项数据的密钥。 密钥集被加密并存储在共享首选项中。
A master key that encrypts all key-sets. Only the master key is stored in the Android Key-store system to make it more difficult to extract from the device.
加密所有密钥集的主密钥 。 只有主密钥存储在Android密钥存储系统中,这使得从设备中提取密钥更加困难。
MasterKeys class allows you to have a recommended default master key with default settings as below:
MasterKeys类使您可以使用推荐的默认主密钥,其默认设置如下:
val keyGenParameterSpec = MasterKeys.AES256_GCM_SPEC
val masterKeyAlias = MasterKeys.getOrCreate(keyGenParameterSpec)
MasterKeys class consists of methods to create and obtain master keys in Android Key-store. getOrCreate() method gets or creates the master key provided. The encryption scheme is a required field. So, in this code, there is only one value that you can use, MasterKeys.AES256_GCM_SPEC
. Thus, we use the block mode GCM, and there is no padding. In other words, if you want to encrypt a small amount of data that is of the key size or less, you do not really need any padding or blocking modes. The important issue here is that a number of attacks and challenges happen with encryption when you have data that is longer than the key length. Therefore, you can be able to use padding and blocking in this case.
MasterKeys类包含在Android Key-store中创建和获取主密钥的方法。 getOrCreate()方法获取或创建提供的主密钥。 加密方案 是必填字段。 因此,在此代码中,您只能使用一个值MasterKeys.AES256_GCM_SPEC
。 因此,我们使用块模式GCM,并且没有填充。 换句话说,如果您要加密密钥大小或更小的少量数据,则实际上不需要任何填充或阻止模式。 这里的重要问题是,当您拥有的数据长度超过密钥长度时,加密会遇到许多攻击和挑战。 因此,在这种情况下,您可以使用填充和阻止。
In addition to this section, if you want to have your own configuration, you can build your own custom master key by using the KeyGenParameterSpec
class. Another important point is that you can add an extra level of protection by using bio-metric prompt, fingerprint, or face identification. This would need authorization for both encryption and decryption of keys.
除了本节之外,如果您想要拥有自己的配置,则可以构建自己的自定义 使用KeyGenParameterSpec
类的主密钥。 另一个重要的一点是,您可以使用生物识别提示,指纹或面部识别功能来增加额外的保护级别。 密钥的加密和解密都需要授权。
文件加密 (File Encryption)
Another important feature of Jetpack Security Library is file encryption, which you can encrypt your files in your app at the same time. All you need to perform is creating a file, and then make this file as an encrypted file as follows:
Jetpack安全性库的另一个重要功能是文件加密,您可以同时加密应用程序中的文件。 您需要执行的所有操作是创建一个文件,然后将该文件制作为加密文件,如下所示:
val fileToRead = "my_sensitive_data.txt"
val encryptedFile = EncryptedFile.Builder(
File(directory, fileToRead),
context,
masterKeyAlias,
EncryptedFile.FileEncryptionScheme.AES256_GCM_HKDF_4KB
).build()
EncryptedFile class represents custom implementations of FileInputStream and FileOutputStream. It makes your app more secure in reading and writing operations. EncryptedFile is a streaming file; thus, you can encrypt very large files via this capability.
EncryptedFile类表示FileInputStream和FileOutputStream的自定义实现。 它使您的应用程序在读写操作中更加安全。 EncryptedFile是一个 流媒体 文件; 因此,您可以通过此功能加密非常大的文件。
After obtaining the encrypted file, if you want to write some data to your encrypted file or read from it, you can use the openFileOutput() and openFileInput() methods as below:
获取加密文件后,如果要向加密文件中写入一些数据或从中读取数据,则可以使用如下所示的openFileOutput()和openFileInput()方法:
encryptedFile.openFileOutput().bufferedWriter().use { bufferedWriter -> // Writing some data.. }
encryptedFile.openFileInput().bufferedReader().useLines { lines -> // Reading data.. }
共享首选项加密 (SharedPreferences Encryption)
you can also encrypt shared preferences with Jetpack Security. Encrypting shared preferences is similar to encrypting files. Generally, we store our data in SharedPreferences because it is easy to use. In the meantime, it would be an easy target for the attackers to obtain the keys from SharedPreferences. Therefore, we require to encrypt our SharedPrefernce data with utilizing EncryptedSharedPreferences feature in Security library. The important note to indicate is that the keys and values are encrypted in a different way. You can encrypt shared preferences as follows:
您还可以加密共享首选项 使用Jetpack Security。 加密共享首选项类似于加密文件。 通常,我们将数据存储在SharedPreferences中,因为它易于使用。 同时,对于攻击者来说,从SharedPreferences获取密钥将是一个容易的目标。 因此,我们需要利用安全性库中的EncryptedSharedPreferences功能来加密SharedPrefernce数据。 需要指出的重要注意事项是,键和值以不同的方式加密。 您可以如下加密共享的首选项:
val sharedPrefs = EncryptedSharedPreferences.create( "my_secure_preferences", MasterKeys.getOrCreate(MasterKeys.AES256_GCM_SPEC),
context, EncryptedSharedPreferences.PrefKeyEncryptionScheme.AES256_SIV, EncryptedSharedPreferences.PrefValueEncryptionScheme.AES256_GCM )
Although reading and writing operations on the encrypted shared preferences have some positive consequences, they are slower because they are decrypted every time in order to access them. In short, there is a notable performance difference when initializing encrypted shared preferences in comparison with regular situation. So, you should use this feature when it is needed.
尽管对加密的共享首选项进行读和写操作会带来一些积极的后果,但它们会变慢,因为每次访问它们都会对其进行解密。 简而言之,与常规情况相比,初始化加密的共享首选项时存在明显的性能差异。 因此,应在需要时使用此功能。
结论 (In conclusion)
This article explained some features in Android Jetpack Security in Android app development. Even though there are some prominent classes in this library for Android developers, there are some drawbacks are remained to consider such as some limitations in applying some algorithms and comparability of Android devices in working with this library (This is available for Android version 6.0 or higher).
本文介绍了Android应用开发中Android Jetpack安全性的一些功能。 即使该库中有一些针对Android开发人员的突出类,但仍需考虑一些缺点,例如在应用某些算法时存在一些限制,并且在使用该库时Android设备的可比性(适用于Android 6.0或更高版本) )。
翻译自: https://medium.com/kayvan-kaseb/android-jetpack-security-db4079fcaad0