Facebook has recently released a tool for making Android apps more secure in storing data. Does Facebook mean well, or could the social network simply be protecting its own advertising data from prying eyes?
Facebook is hardly the first name that comes to mind when one thinks of privacy and security, let alone cryptography. While the social network claims to ensure user privacy, its prior actions have suggested that the company might . Take these examples for instance: public posts by minors, no opting-out of Graph Search, and blanket eavesdropping permissions for Messenger.
These concerns notwithstanding, Facebook aims to improve the user experience by ensuring the privacy of mobile communications, but still optimizing for speed, particularly on low-spec devices. With its latest “Conceal” code library, Facebook is providing developers a set of programming tools and interfaces that enable developers to store sensitive app data on an Android phone’s external (microSD) storage without worrying about this data being pilfered by other applications.
App developers can opt to store authentication tokens and other data on the SD card to conserve bandwidth and to save on internal memory usage. However, because the SD card is mounted as a public resource by Android, other applications can easily look into the contents of other apps’ data, if left unsecured. Existing cryptography is available, although some options might not be optimized for low-resource usage. In some cases, developers opt for weaker encryption simply because this is the default offered by their software development libraries, thereby leading to vulnerabilities.
Conceal provides an easy-to-use programming interface that lets developers store their data in a secure form without sacrificing performance. In a post at Facebook Code, engineer Subodh Iyengar writes how Facebook has chosen to open-source this particular cryptographic tool, which should support devices running Android 2.3 Gingerbread and above (with partial support for 2.2 FroYo). Encrypting data is simple: “you simply pass an output stream and get back a wrapped OutputStream which encrypts data as it is written to it.”
According to Iyenar, apps that use Conceal’s cryptography run significantly faster, as shown by performance benchmarks that Facebook itself has done with a low-spec Samsung Galaxy Y. At present, Facebook uses the technology to encrypt image files cached on users’ external storage. “The major target for this project is typical Android devices which run old Android versions, have low memory and slower processors.”
In open-sourcing this cryptographic tool, Facebook is helping make mobile data more secure for users. However, one might wonder about Facebook’s intent in protecting its data cache. Does Facebook want to prevent the data it collects from users from falling into the wrong hands?
Source: Facebook Code