14 DAY TRIAL // This week, Google announced plans to remove the Crypto provider from Android N, expected to be launched this fall.
If you didn't know, Android is an operating system built on Java, and as such, it uses the Java Cryptography Architecture to allow developers to write and manage encryption operations in their code.
The Java Cryptography Architecture (JCA) is a major piece of the Java platform that can work with various types of algorithms, different based on their algorithm principles and purpose.
Crypto provider deemed not useful anymore
When a developer wants to run operations that work with encryption, they call on one of these algorithms by loading their Provider, which you can think of as a category, and then select the desired encryption algorithm.
Android supports most of the JCA providers, such as OpenSSL, BC, HarmonyJSSE, DRLCertFactory, and more.
Prior to Android N, one of these providers was Crypto, and it included support for algorithms such as SHA1PRNG, SHA1withDSA, DSA, and SHA-1. As you can see, most of these algorithms are considered weak and insecure in today's encryption scene.
"In Android N we are deprecating the implementation of the SHA1PRNG algorithm and the Crypto provider altogether," Sergio Giro, Android software engineer, wrote last week.
Developers should migrate their code to use other JCA providers
The company is now advising developers to rewrite their apps if they used the Crypto provider, and the SHA1PRNG algorithm specifically.
Many developers used this algorithm to create encryption key derivates. The SHA1PRNG allowed developers to use a user password and expand a smaller key into a larger encryption key.
"The problem is that the SHA1PRNG algorithm is not cryptographically strong," Giro says. As such, he's advising developers to use stronger algorithms such as AES if they need to create encryption key derivates.
The Android team has put together a series of recommendations to help developers migrate their apps away from the Crypto provider and its SHA1PRNG algorithm.