Episode Title: The Good, The Bad, and The Ugly in Mobile Encryption
In this episode of Upwardly Mobile, hosted by George & Skye and sponsored by Approov, we dive deep into the crucial world of encryption algorithms for mobile app developers. Protecting user data is paramount for trust, compliance, and preventing breaches, but navigating the landscape of encryption can be challenging. We break down algorithms into three categories: The Good, The Bad, and The Ugly, discussing which ones to use, which to avoid, and learning from past failures.Episode Summary:Encryption is non-negotiable in mobile development, affecting data security, privacy, and compliance. Choosing the right algorithm is critical, as not all are created equal.The Good: We highlight modern, reliable encryption algorithms essential for mobile applications.
- AES (Advanced Encryption Standard): The industry standard for symmetric encryption. AES-256 is recommended for its strength, performance, and flexibility. Using AES-GCM mode provides both confidentiality and integrity/authenticity, which is vital. Modern mobile CPUs often have hardware acceleration (AES-NI) making it very fast.
- ECC (Elliptic Curve Cryptography): The modern choice for asymmetric cryptography, particularly valuable in mobile environments with limited resources. ECC offers robust security with significantly smaller key lengths compared to RSA, leading to faster computations, less memory, lower power consumption, and less data transmitted. It's ideal for secure key exchange (like ECDHE in TLS) and digital signatures (like ECDSA).
- ChaCha20-Poly1305: An excellent AEAD symmetric cipher. It offers security comparable to AES-256-GCM and performs exceptionally well in software, often faster than AES on devices without dedicated hardware acceleration. It's widely used in TLS 1.3.
- Hashing Algorithms: For integrity checks and password storage. Use the SHA-2 family (SHA-256, SHA-384, SHA-512) or the newer SHA-3 family. For password hashing, never just hash passwords; use dedicated functions like Argon2 (current best practice) or bcrypt, designed to be slow and memory-intensive to resist brute-force attacks.
- Secure Protocols: Always use TLS 1.3 for securing network communications (HTTPS), as it mandates strong ciphers and removes insecure options.
- Key Management: Leverage platform-provided secure key storage like Android Keystore and iOS Keychain, which often use hardware-backed secure elements.
- The Hybrid Approach: The standard practice involves using asymmetric crypto (like ECDHE) to establish a shared secret key securely, and then using that secret key with a fast symmetric AEAD cipher (like AES-GCM or ChaCha20-Poly1305) to encrypt the actual application data.
- DES (Data Encryption Standard): Long obsolete with a small 56-bit key size, easily cracked with modern hardware. Completely insecure.
- 3DES (Triple DES): While an improvement over DES, it's considered weak against current cryptanalysis and is significantly slower than modern standards like AES.
- RC4: A stream cipher vulnerable to multiple types of attacks, deprecated in TLS 1.3.
- MD5 & SHA-1: Hashing algorithms considered broken for security purposes like digital signatures or password hashing due to practical collision attacks. Use SHA-2 or SHA-3 instead.
- CBC Mode without MAC: Using modes like AES-CBC without combining them correctly with a strong Message Authentication Code (MAC) can lead to vulnerabilities like padding oracle attacks (POODLE) and bit-flipping attacks. AEAD modes like GCM handle this automatically.
- ECB Mode (Electronic Codebook): Never use for more than one block of data, as it leaks patterns visibly.
- Older
Popular Podcasts
Stuff You Should Know
If you've ever wanted to know about champagne, satanism, the Stonewall Uprising, chaos theory, LSD, El Nino, true crime and Rosa Parks, then look no further. Josh and Chuck have you covered.
Dateline NBC
Current and classic episodes, featuring compelling true-crime mysteries, powerful documentaries and in-depth investigations. Follow now to get the latest episodes of Dateline NBC completely free, or subscribe to Dateline Premium for ad-free listening and exclusive bonus content: DatelinePremium.com
On Purpose with Jay Shetty
I’m Jay Shetty host of On Purpose the worlds #1 Mental Health podcast and I’m so grateful you found us. I started this podcast 5 years ago to invite you into conversations and workshops that are designed to help make you happier, healthier and more healed. I believe that when you (yes you) feel seen, heard and understood you’re able to deal with relationship struggles, work challenges and life’s ups and downs with more ease and grace. I interview experts, celebrities, thought leaders and athletes so that we can grow our mindset, build better habits and uncover a side of them we’ve never seen before. New episodes every Monday and Friday. Your support means the world to me and I don’t take it for granted — click the follow button and leave a review to help us spread the love with On Purpose. I can’t wait for you to listen to your first or 500th episode!