Delete comment from: Android Explorations
I'm confused about a number of issues. Does Android use the open source code from Bouncy Castle? If so, I read somewhere that there is no guarantee that 256 bit encryption keys are available on all Android devices. Is that true?
I actually wrote code for an earlier version of Android that used this (even though you don't recommend using it):
SecureRandom.getInstance("SHA1PRNG");
When my app ran on a later version of Android, the decryption failed. From StackOverflow, I found out that Google had altered something in the latest release and I was required to use this instead:
SecureRandom.getInstance("SHA1PRNG", "Crypto");
Google essentially destroy backward compatibility when they did this and now I seriously question why anyone would want to use Android's built-in encryption. Makes no sense that your app encrypts it on one version of Android but breaks on another. And if they broke compatibility this time, what's to stop them from repeating this again?
Would it not be better to download the Bouncy Castle jar files and install them with your app and rely upon that instead? Then you wouldn't have to worry about Google breaking compatibility.
Another question. It seems that you are trying to stress the importance of generating a random key and not relying upon a user's password. Would just UUID to generate a random 128 bit number be the simplest and best solution? I use that function throughout my code.
Feb 4, 2013, 7:05:44 AM