Android Safe 1.0.2 released today. No new feature or bug fix. This release is mainly for speed improvement.
I picked to implement an encryption program as my first Android application because (besides the fact that I have a real need to replace my Palm application MemoAES) I need to have an excuse to play with native programing on Android! :P I also picked a secure and computationally expensive key generation method: PBKDF2 with 1024 rounds (!) of iteration and a 256-bit key output for AES.
Both Android Safe version 1.0.0 and 1.0.1 used pure Java implementation. The Dalvik VM isn't really that bad. The key generation process took around 3 seconds. But since each of the notes in Android Safe is encrypted with different salt, that essentially translate to the fact that they are using different keys. So each open, save, and import (with different password) action requires at least one call to the PBKDF2 algorithm. The user experience is acceptable, but not that good.
Using Android NDK, the PBKDF2 part is rewritten with JNI (in C) for version 1.0.2. The speed improvement is over five-folds. Below is some test data I collected when testing the algorithm with test vectors found in RFC3962. Each test executed three times with the average taken as the result.
1200 iterations | 2 iterations | |
---|---|---|
128-bit JNI |
330ms
|
3ms
|
128-bit Java |
1864ms
|
9ms
|
256-bit JNI |
632ms
|
11ms
|
256-bit Java |
3495ms
|
97ms
|
hi,
ReplyDeleteThanks for releasing this promising app.
1 suggestion and 1 question.
Suggestion:
The import and export functionality is basically for backing up
as it is now, since the xml it generates has all secret info in
it encrypted format.
But if I have alot of pins etc, it's either very difficult to input
them in via the UI, or I would need to do it somewhat insecurely.
Inputting them in record by record would take ALOT of work
via any Android keyboard...
Alternatively, I was thinking, I could smb over a big text file
of everything and copy/past them into one record. This isnt
necessary the best way, but I can live with it. However,
the temporaily locally store file even after erasure would be
vulnerable. Recent data recovery techniques from SD drives
are proving more productive then previously thought...
I was thinking if you could expand the javascript decryption
form you currently have to also encrypt, then I could do everything
offline and write to your app's XML format, then import it.
Question:
I cannt get your javascript decryption form to work. for example,
I copy the 4EA1BA51119749F89864FAADC7EC70D2 string from the tag
4EA1BA51119749F89864FAADC7EC70D2
and also input the passwd I had used for opening the app into their
respective fields, and submit, but the result is it tells me the format
of the data was correct... or something like that... what am I doing
wrong??
Thanks again,
Carl
oh, the tags were stripped... from my above example. I was referencing
ReplyDeletea name="body" tag.
-Carl
actually, it would be easier to create a desktop program to edit the XML file. Then import it back to Android Safe... I actually spent some time to write such program... and have a working prototype... but need more time to finish it... stay tuned...
ReplyDeleteThanks,
ReplyDelete:) I encourage you !! yah depending on what youre most familiar with writing a normal simple CL or GUI program to import/export/decrypt/encrypt could be faster...
thanks,
carl