IMAT Academy

13/09/2016

Want to become a developer of the world's most influenced mobile application in just two months ? Call us Now and Step into your Digital career...!

03/09/2016

02/07/2016

Security "Crypto" provider deprecated in Android N

Posted by Sergio Giro, software engineer
random_droid

If your Android app derives keys using the SHA1PRNG algorithm from the Crypto provider, you must start using a real key derivation function and possibly re-encrypt your data.

The Java Cryptography Architecture allows developers to create an instance of a class like a cipher, or a pseudo-random number generator, using calls like:
SomeClass.getInstance("SomeAlgorithm", "SomeProvider");

Or simply:
SomeClass.getInstance("SomeAlgorithm");

For instance,
Cipher.getInstance(“AES/CBC/PKCS5PADDING”);
SecureRandom.getInstance(“SHA1PRNG”);

On Android, we don’t recommend specifying the provider. In general, any call to the Java Cryptography Extension (JCE) APIs specifying a provider should only be done if the provider is included in the application or if the application is able to deal with a possible ProviderNotFoundException.

Unfortunately, many apps depend on the now removed “Crypto” provider for an anti-pattern of key derivation.

This provider only provided an implementation of the algorithm “SHA1PRNG” for instances of SecureRandom. The problem is that the SHA1PRNG algorithm is not cryptographically strong. For readers interested in the details, On statistical distance based testing of pseudo random sequences and experiments with PHP and Debian OpenSSL,Section 8.1, by Yongge Want and Tony Nicol, states that the “random” sequence, considered in binary form, is biased towards returning 0s, and that the bias worsens depending on the seed.

As a result, in Android N we are deprecating the implementation of the SHA1PRNG algorithm and the Crypto provider altogether. We’d previously covered the issues with using SecureRandom for key derivation a few years ago in Using Cryptography to Store Credentials Safely. However, given its continued use, we will revisit it here.

A common but incorrect usage of this provider was to derive keys for encryption by using a password as a seed. The implementation of SHA1PRNG had a bug that made it deterministic if setSeed() was called before obtaining output. This bug was used to derive a key by supplying a password as a seed, and then using the "random" output bytes for the key (where “random” in this sentence means “predictable and cryptographically weak”). Such a key could then be used to encrypt and decrypt data.

In the following, we explain how to derive keys correctly, and how to decrypt data that has been encrypted using an insecure key. There’s also a full example, including a helper class to use the deprecated SHA1PRNG functionality, with the sole purpose of decrypting data that would be otherwise unavailable.

Keys can be derived in the following way:

If you're reading an AES key from disk, just store the actual key and don't go through this weird dance. You can get a SecretKey for AES usage from the bytes by doing:

SecretKey key = new SecretKeySpec(keyBytes, "AES");
If you're using a password to derive a key, follow Nikolay Elenkov's excellent tutorial with the caveat that a good rule of thumb is the salt size should be the same size as the key output. It looks like this:

/* User types in their password: */
String password = "password";

/* Store these things on disk used to derive key later: */
int iterationCount = 1000;
int saltLength = 32; // bytes; should be the same size
as the output (256 / 8 = 32)
int keyLength = 256; // 256-bits for AES-256, 128-bits for AES-128, etc
byte[] salt; // Should be of saltLength

/* When first creating the key, obtain a salt with this: */
SecureRandom random = new SecureRandom();
byte[] salt = new byte[saltLength];
random.nextBytes(salt);

/* Use this to derive the key from the password: */
KeySpec keySpec = new PBEKeySpec(password.toCharArray(), salt,
iterationCount, keyLength);
SecretKeyFactory keyFactory = SecretKeyFactory
.getInstance("PBKDF2WithHmacSHA1");
byte[] keyBytes = keyFactory.generateSecret(keySpec).getEncoded();
SecretKey key = new SecretKeySpec(keyBytes, "AES");

That's it. You should not need anything else.

To make transitioning data easier, we covered the case of developers that have data encrypted with an insecure key, which is derived from a password every time. You can use the helper class InsecureSHA1PRNGKeyDerivator in the example app to derive the key.

private static SecretKey deriveKeyInsecurely(String password, int
keySizeInBytes) {
byte[] passwordBytes = password.getBytes(StandardCharsets.US_ASCII);
return new SecretKeySpec(
InsecureSHA1PRNGKeyDerivator.deriveInsecureKey(
passwordBytes, keySizeInBytes),
"AES");
}

You can then re-encrypt your data with a securely derived key as explained above, and live a happy life ever after.

Note 1: as a temporary measure to keep apps working, we decided to still create the instance for apps targeting SDK version 23, the SDK version for Marshmallow, or less. Please don't rely on the presence of the Crypto provider in the Android SDK, our plan is to delete it completely in the future.

Note 2: Because many parts of the system assume the existence of a SHA1PRNG algorithm, when an instance of SHA1PRNG is requested and the provider is not specified we return an instance of OpenSSLRandom, which is a strong source of random numbers derived from OpenSSL.

02/07/2016

HERE COMES ANDROID N - NOUGAT (கொட்டைப்பருப்பு-சக்கரை கலந்த இனிப்புத்தின் பண்டம்.)

02/07/2016

HERE COMES THE ANDROID N - NOUGAT

02/07/2016

Android N name revealed: It's Nougat:

After months of calling the next release simply “Android N,” Google has finally settled on a name.

The company revealed Nougat on its Snapchat channel and Twitter, which included uncovering the latest statue to grace the Google campus.

Google names its Android versions after what it calls “sweet treats.” Though the first two releases had no corresponding name, the early 1.5 release was named “Cupcake.” From there, each new version of Android takes on the name of some sort of sweet food, each name beginning with the next letter of the alphabet. After Cupcake came Donut, then Eclair, all the way through corporate-sponsored “KitKat” (version 4.4), and last year’s “Marshmallow” (6.0).

Android Nougat is part of a lengthy, delicious-sounding version history.

What is Nougat, anyway?

Google hasn’t detailed the official version number yet, but most of its Android N images and mockups display a time of 7:00 on the clock, which is a clear indication that it will be 7.0. Google did the same with the clock on its mockups of previous Android releases. Nougat is currently in beta and expected for release this fall. What is nougat, exactly?

It’s part of a family of confections that are made with roasted nuts, sugar, honey, whipped egg whites, and usually chopped, candied fruit. It’s particularly popular in India, the birthplace of Google CEO Sundar Pichai. Here in the U.S., it’s typically one of the ingredients in a larger candy bar (like Snickers or 3 Musketeers).

Any guesses on what Android O will be?
Read all about it

Wondering what's coming to your phones when they get the Android Nougat update? You can start with this gallery showing some of the latest features in the preview.

Then, stop by this list of features from Google I/O; it gives you a good idea of what to expect out of Google's latest OS.

30/05/2016

Naiyyappam to Nankhatai: 5 Indian sweets that will make Android N sweeter :

1.Naiyyappam - Android Naiyyappam. This sweet made with flour, jaggery and ghee, we feel surely has the capacity to lure Google in to naming its next OS as Android Naiyyappam.

2.Nariyal Loaddo- Android Nariyal Loaddo will definitely bring more luck to Google's Android. And why not? It has a perfect shape, tastes great and it's every coconut lover's favourite.

3.Nankhatai - Android Nankhatai. Dear good Android guys, you must try Nankhatai. If you like it (which you should) then name the next version Android Nankhatai. When baked perfectly, Nankhatai just melts in your mouth, and the scrumptious outer layer just leaves you wanting for more. We bet you can't just have one!

4.Nariyal Barfi - Android Nariyal Barfi? We love to eat it but won't Android Nariyal Barfi look a bit too similar to an already giant white Android Marshmallow. Imagine, a huge piece of textured white square placed outside the Google's office. Won't it look majestic?

5.Ney Payasam - Android Ney Payasam. Now, Ney Payasam isn't a dish many of you must have heard of, but that doesn't make it less awesome. Made with jaggery and 'ghee', no one can say no to Ney Payasam, and Google shouldn't too. Now, how cool would a bowl of Ney Payasam icon look, when you try and update your update your smartphone to Google's latest OS.

27/04/2016

GREAT OPPORTUNITY FOR SCHOOL STUDENTS ...DON'T EVER MISS IT..

25/04/2016

digital marketing trends of 2015 is one of the most talked about topics in the mobile marketing Industry and our Company are Experts In http://hoppinonline.c...

25/04/2016

How can our Mobile Apps help your business?

19/04/2016

HAPPY TO ANNOUNCE THAT WE GIVING AN OPPORTUNITY ONCE AGAIN TO LEARN GAME DEVELOPMENT IN ANDROID.SO CALL US AND STEP INTO YOUR DIGITAL CAREER...

16/04/2016

EARN YOUR SCHOLARSHIP....