Google to Remove Weak “Crypto” Provider in Android N

Google to Remove Weak “Crypto” Provider in Android N


This week, Google announced plans to remove the Crypto provider from Android N, expected to be launched this fall.
The Java Cryptography Architecture (JCA) is a major piece of the Java platform that can work with various types of algorithms, different based on their algorithm principles and purpose.
When a developer wants to run operations that work with encryption, they call on one of these algorithms by loading their Provider, which you can think of as a category, and then select the desired encryption algorithm.
Android supports most of the JCA providers, such as OpenSSL, BC, HarmonyJSSE, DRLCertFactory, and more.
Prior to Android N, one of these providers was Crypto, and it included support for algorithms such as SHA1PRNG, SHA1withDSA, DSA, and SHA-1. As you can see, most of these algorithms are considered weak and insecure in today’s encryption scene.
The Android team has put together a series of recommendations to help developers migrate their apps away from the Crypto provider and its SHA1PRNG algorithm.

Submitted by: Arnfried Walbrecht


Comments are closed.