Thursday, June 17, 2010

Android Safe 1.0.2




Android Safe 1.0.2 released today. No new feature or bug fix. This release is mainly for speed improvement.

I picked to implement an encryption program as my first Android application because (besides the fact that I have a real need to replace my Palm application MemoAES) I need to have an excuse to play with native programing on Android! :P I also picked a secure and computationally expensive key generation method: PBKDF2 with 1024 rounds (!) of iteration and a 256-bit key output for AES.

Both Android Safe version 1.0.0 and 1.0.1 used pure Java implementation. The Dalvik VM isn't really that bad. The key generation process took around 3 seconds. But since each of the notes in Android Safe is encrypted with different salt, that essentially translate to the fact that they are using different keys. So each open, save, and import (with different password) action requires at least one call to the PBKDF2 algorithm. The user experience is acceptable, but not that good.

Using Android NDK, the PBKDF2 part is rewritten with JNI (in C) for version 1.0.2. The speed improvement is over five-folds. Below is some test data I collected when testing the algorithm with test vectors found in RFC3962. Each test executed three times with the average taken as the result.




PBKDF2 Speed Tests using test vectors from RFC3962.
(Pass phrase = "password". Salt="ATHENA.MIT.EDUraeburn")
1200 iterations 2 iterations
128-bit JNI
330ms
3ms
128-bit Java
1864ms
9ms
256-bit JNI
632ms
11ms
256-bit Java
3495ms
97ms


4 comments:

carl said...

hi,

Thanks for releasing this promising app.

1 suggestion and 1 question.

Suggestion:
The import and export functionality is basically for backing up
as it is now, since the xml it generates has all secret info in
it encrypted format.

But if I have alot of pins etc, it's either very difficult to input
them in via the UI, or I would need to do it somewhat insecurely.

Inputting them in record by record would take ALOT of work
via any Android keyboard...

Alternatively, I was thinking, I could smb over a big text file
of everything and copy/past them into one record. This isnt
necessary the best way, but I can live with it. However,
the temporaily locally store file even after erasure would be
vulnerable. Recent data recovery techniques from SD drives
are proving more productive then previously thought...

I was thinking if you could expand the javascript decryption
form you currently have to also encrypt, then I could do everything
offline and write to your app's XML format, then import it.

Question:
I cannt get your javascript decryption form to work. for example,
I copy the 4EA1BA51119749F89864FAADC7EC70D2 string from the tag

4EA1BA51119749F89864FAADC7EC70D2

and also input the passwd I had used for opening the app into their
respective fields, and submit, but the result is it tells me the format
of the data was correct... or something like that... what am I doing
wrong??

Thanks again,
Carl

carl said...

oh, the tags were stripped... from my above example. I was referencing
a name="body" tag.

-Carl

clarence said...

actually, it would be easier to create a desktop program to edit the XML file. Then import it back to Android Safe... I actually spent some time to write such program... and have a working prototype... but need more time to finish it... stay tuned...

carl said...

Thanks,

:) I encourage you !! yah depending on what youre most familiar with writing a normal simple CL or GUI program to import/export/decrypt/encrypt could be faster...

thanks,
carl