Sign up to save your podcasts
Or
Share The Good, The Bad, and The Ugly in Mobile Encryption
Share to email
Share to Facebook
Share to X
Share to email
Share to Facebook
Share to X
Or
The Good, The Bad, and The Ugly in Mobile Encryption
Upwardly Mobile
Episode Title: The Good, The Bad, and The Ugly in Mobile Encryption
In this episode of Upwardly Mobile, hosted by George & Skye and sponsored by Approov, we dive deep into the crucial world of encryption algorithms for mobile app developers. Protecting user data is paramount for trust, compliance, and preventing breaches, but navigating the landscape of encryption can be challenging. We break down algorithms into three categories: The Good, The Bad, and The Ugly, discussing which ones to use, which to avoid, and learning from past failures.Episode Summary:Encryption is non-negotiable in mobile development, affecting data security, privacy, and compliance. Choosing the right algorithm is critical, as not all are created equal.The Good: We highlight modern, reliable encryption algorithms essential for mobile applications.
- AES (Advanced Encryption Standard): The industry standard for symmetric encryption. AES-256 is recommended for its strength, performance, and flexibility. Using AES-GCM mode provides both confidentiality and integrity/authenticity, which is vital. Modern mobile CPUs often have hardware acceleration (AES-NI) making it very fast.
- ECC (Elliptic Curve Cryptography): The modern choice for asymmetric cryptography, particularly valuable in mobile environments with limited resources. ECC offers robust security with significantly smaller key lengths compared to RSA, leading to faster computations, less memory, lower power consumption, and less data transmitted. It's ideal for secure key exchange (like ECDHE in TLS) and digital signatures (like ECDSA).
- ChaCha20-Poly1305: An excellent AEAD symmetric cipher. It offers security comparable to AES-256-GCM and performs exceptionally well in software, often faster than AES on devices without dedicated hardware acceleration. It's widely used in TLS 1.3.
- Hashing Algorithms: For integrity checks and password storage. Use the SHA-2 family (SHA-256, SHA-384, SHA-512) or the newer SHA-3 family. For password hashing, never just hash passwords; use dedicated functions like Argon2 (current best practice) or bcrypt, designed to be slow and memory-intensive to resist brute-force attacks.
- Secure Protocols: Always use TLS 1.3 for securing network communications (HTTPS), as it mandates strong ciphers and removes insecure options.
- Key Management: Leverage platform-provided secure key storage like Android Keystore and iOS Keychain, which often use hardware-backed secure elements.
- The Hybrid Approach: The standard practice involves using asymmetric crypto (like ECDHE) to establish a shared secret key securely, and then using that secret key with a fast symmetric AEAD cipher (like AES-GCM or ChaCha20-Poly1305) to encrypt the actual application data.
The Bad: Certain algorithms are outdated, inefficient, or have known vulnerabilities and should be avoided at all costs.
- DES (Data Encryption Standard): Long obsolete with a small 56-bit key size, easily cracked with modern hardwa
This content was created in partnership and with the help of Artificial Intelligence AI.
View all episodes
By Skye MacIntyreUpwardly Mobile
Episode Title: The Good, The Bad, and The Ugly in Mobile Encryption
In this episode of Upwardly Mobile, hosted by George & Skye and sponsored by Approov, we dive deep into the crucial world of encryption algorithms for mobile app developers. Protecting user data is paramount for trust, compliance, and preventing breaches, but navigating the landscape of encryption can be challenging. We break down algorithms into three categories: The Good, The Bad, and The Ugly, discussing which ones to use, which to avoid, and learning from past failures.Episode Summary:Encryption is non-negotiable in mobile development, affecting data security, privacy, and compliance. Choosing the right algorithm is critical, as not all are created equal.The Good: We highlight modern, reliable encryption algorithms essential for mobile applications.
- AES (Advanced Encryption Standard): The industry standard for symmetric encryption. AES-256 is recommended for its strength, performance, and flexibility. Using AES-GCM mode provides both confidentiality and integrity/authenticity, which is vital. Modern mobile CPUs often have hardware acceleration (AES-NI) making it very fast.
- ECC (Elliptic Curve Cryptography): The modern choice for asymmetric cryptography, particularly valuable in mobile environments with limited resources. ECC offers robust security with significantly smaller key lengths compared to RSA, leading to faster computations, less memory, lower power consumption, and less data transmitted. It's ideal for secure key exchange (like ECDHE in TLS) and digital signatures (like ECDSA).
- ChaCha20-Poly1305: An excellent AEAD symmetric cipher. It offers security comparable to AES-256-GCM and performs exceptionally well in software, often faster than AES on devices without dedicated hardware acceleration. It's widely used in TLS 1.3.
- Hashing Algorithms: For integrity checks and password storage. Use the SHA-2 family (SHA-256, SHA-384, SHA-512) or the newer SHA-3 family. For password hashing, never just hash passwords; use dedicated functions like Argon2 (current best practice) or bcrypt, designed to be slow and memory-intensive to resist brute-force attacks.
- Secure Protocols: Always use TLS 1.3 for securing network communications (HTTPS), as it mandates strong ciphers and removes insecure options.
- Key Management: Leverage platform-provided secure key storage like Android Keystore and iOS Keychain, which often use hardware-backed secure elements.
- The Hybrid Approach: The standard practice involves using asymmetric crypto (like ECDHE) to establish a shared secret key securely, and then using that secret key with a fast symmetric AEAD cipher (like AES-GCM or ChaCha20-Poly1305) to encrypt the actual application data.
The Bad: Certain algorithms are outdated, inefficient, or have known vulnerabilities and should be avoided at all costs.
- DES (Data Encryption Standard): Long obsolete with a small 56-bit key size, easily cracked with modern hardwa
This content was created in partnership and with the help of Artificial Intelligence AI.