New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Support devices runing KitKat (API 19) #6 #10
Conversation
davidmigloz
commented
Jul 9, 2018
•
edited
edited
- Init cipher using IvParameterSpec instead of GCMParameterSpec on devices running KitKat.
- Ignore associated data on devices running KitKat.
70fca34
to
2e094dd
Compare
Hi David, thanks for the PR. I have reservations about the change of using no AAD, because if a device updates to 21+ it will not verify, requiring the lib to persist SDK version and handle migration. This adds quite a bit of complexity and probably opens an downgrade attack vector. Do you have any idea how to tackle that issue? Also, how serious is the issue of missing GCMParamSpec? Is this just on a handful devices? It seems weired that a class is missing from the Android SDK thats supposed to be there? |
Hi Patrick, The traces of the two issues (tested in a Samsung Galaxy SII with Android 4.4.4): Issue with the GCMParamSpec :
Issue with the AAD:
|
I didn't think about what happens when the user updates to 21. But.. do you think it's worth to hadle it? I don't expect a lot of users updating from 19 to 21 in 2018, if they are using 19 it's probably because the manufacter droped support in that version. What do you think? About GCMParamSpec, I have no idea how many devices don't have it implemented. The limitation of using IvParameterSpec is that we have to stick to the default tag lenght of 128 bits. |
There are still working SII around 😆? Anyways, its seems that the last official update for that device was 4.1.2 (according to Wikipedia) wo we are dealing with custom rom issues. Not too keen on supporting those :/ So I suggest instead of patching the default encryption logic, why not just add a new implementation of What do you think? |
Yes it has a cyanogenmod rom.. I don't have any device with pure Android 4.4. I also tested it in an emulator and I'm getting the same two exceptions. Do you have any KitKat device where it's working? So you think is better to make the default |
Hi guys, I have few KitKat devices. And the crash happens on all of them. Today standard for new project says we should still support Kitkat devices, because there is still more than 10% active devices market share. See
|
I just tried it with the emulator and you are right, the BC version of this build does not seem to support the IV type - my statement was based upon the assumption that this is specific issue to some roms. It is very strange that Google would expose the new APIs but would not support it? We should check if there maybe is another provider in KitKat which supports AAD and GcmIvParamSpec? But I agree, that we should add a fallback variant in the default impl for kitkat, but maybe make it more clear that it is used (So a dev is clear that this will break data on SDK update in KitKat) I leave this link as a reference: |
Here there is a Google implementation: About the AAD, the docs say:
For the params, they first check that
|
@davidmigloz I finally had time to tackle this issue. I implemented a version in #31 supporting migration and implementing AES/CBC + MAC for Kitkat. The work on this PR is highly appreciated, but I think its a better idea to go with #31, so I will close this PR. If you have time please take a look at #31, since I need a second pair of eyes to check the encrypt-then-mac logic :) |
Sure, it's a much better approach than this :) |