{"id":28113154,"url":"https://github.com/tozny/java-aes-crypto","last_synced_at":"2025-05-14T05:06:23.986Z","repository":{"id":23295087,"uuid":"26654294","full_name":"tozny/java-aes-crypto","owner":"tozny","description":"A simple Android class for encrypting \u0026 decrypting strings, aiming to avoid the classic mistakes that most such classes suffer from.","archived":false,"fork":false,"pushed_at":"2019-10-16T16:33:46.000Z","size":233,"stargazers_count":738,"open_issues_count":3,"forks_count":255,"subscribers_count":48,"default_branch":"master","last_synced_at":"2023-10-20T23:32:06.695Z","etag":null,"topics":[],"latest_commit_sha":null,"homepage":"http://tozny.com/blog/encrypting-strings-in-android-lets-make-better-mistakes/","language":"Java","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/tozny.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null}},"created_at":"2014-11-14T19:37:28.000Z","updated_at":"2023-10-19T03:08:55.000Z","dependencies_parsed_at":"2022-07-25T12:32:49.137Z","dependency_job_id":null,"html_url":"https://github.com/tozny/java-aes-crypto","commit_stats":null,"previous_names":[],"tags_count":2,"template":null,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/tozny%2Fjava-aes-crypto","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/tozny%2Fjava-aes-crypto/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/tozny%2Fjava-aes-crypto/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/tozny%2Fjava-aes-crypto/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/tozny","download_url":"https://codeload.github.com/tozny/java-aes-crypto/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":254076849,"owners_count":22010611,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":[],"created_at":"2025-05-14T05:01:31.249Z","updated_at":"2025-05-14T05:06:23.979Z","avatar_url":"https://github.com/tozny.png","language":"Java","funding_links":[],"categories":["安全","Awesome Mobile Application Penetration Testing  ![awesome](https://awesome.re/badge.svg)"],"sub_categories":["Android Application Penetration Testing"],"readme":"java-aes-crypto\n===============\n\nThis AES library is very simple and works only on Android. For a cross-platform encryption system, please use [TozStore](https://tozny.com/tozstore). It's available for Android, iOS, and JavaScript for the browser, as well as back-end systems like Node, Ruby, Python, Java, and Go.\n\nJava-AES-Crypto is Tozny's simple Android class for encrypting \u0026amp; decrypting strings, aiming to avoid [serious cryptographic errors](http://tozny.com/blog/encrypting-strings-in-android-lets-make-better-mistakes/) that most such classes suffer from. [Show me the code](https://github.com/tozny/java-aes-crypto/blob/master/aes-crypto/src/main/java/com/tozny/crypto/android/AesCbcWithIntegrity.java)\n\n# Features\n\nHere are the features of this class. We believe that these properties are consistent with what a lot of people are looking for when encrypting Strings in Android.\n\n* *Works for strings*: It should encrypt arbitrary strings or byte arrays. This means it needs to effectively handle multiple blocks (CBC) and partial blocks (padding). It consistently serializes and deserializes ciphertext, IVs, and key material using base64 to make it easy to store.\n* *Algorithm \u0026 Mode*: We chose: AES 128, CBC, and PKCS5 padding. We would have picked GCM for its built-in integrity checking, but that's only available since Android Jelly Bean.\n* *IV Handling*: We securely generate a random IV before each encryption and provide a simple class to keep the IV and ciphertext together so they're easy to keep track of and store. We set the IV and then request it back from the Cipher class for compatibility across various Android versions.\n* *Key generation*: Random key generation with the updated generation code recommended for Android. If you want password-based keys, we provide functions to salt and generate them.\n* *Integrity*: Lots of people think AES has integrity checking built in. The thinking goes, \"if it decrypts correctly, it was generated by the person with the private key\". Actually, AES CBC allows an attacker to modify the messages. Therefore, we've also added integrity checking in the form of a SHA 256 hash.\n* *Older Phones*: It's designed for backward compatibility with older phones, including ciphers that are available for most versions of Android as well as entropy fixes for old Android bugs.\n\n\n# How to include in project?\n\n## Copy and paste\n\nIt's a single very simple java class,\n[AesCbcWithIntegrity.java](https://github.com/tozny/java-aes-crypto/blob/master/aes-crypto/src/main/java/com/tozny/crypto/android/AesCbcWithIntegrity.java)\nthat works across most or all versions of Android. The class should be easy to\npaste into an existing codebase.\n\n## Android Library project\n\nThe library is in Android library project format so you can clone this project\nand add as a library module/project.\n\n## Maven Dependency\n\nWe've also published the library AAR file via Jitpack for simple\ngradle dependency management:\n\nAdd the Jitpack repository to your root build.gradle:\n\n```groovy\nallprojects {\n  repositories {\n    ...\n    maven { url 'https://jitpack.io' }\n  }\n}\n```\n\nAdd the dependency to your project's build.gradle:\n\n```groovy\ndependencies {\n  compile 'com.github.tozny:java-aes-crypto:1.1.0'\n}\n```\n\n# Examples\n\n## Generate new key\n\n```java\n  AesCbcWithIntegrity.SecretKeys keys = AesCbcWithIntegrity.generateKey();\n```\n\n## Generate a key from a password or passphrase\n```java\n  EXAMPLE_PASSWORD = // Get password from user input\n  String salt = saltString(generateSalt());\n  // You can store the salt, it's not secret. Don't store the key. Derive from password every time\n  Log.i(TAG, \"Salt: \" + salt);\n  key = generateKeyFromPassword(EXAMPLE_PASSWORD, salt);\n```\n\n## Encrypt\n\n```java\n   AesCbcWithIntegrity.CipherTextIvMac cipherTextIvMac = AesCbcWithIntegrity.encrypt(\"some test\", keys);\n   //store or send to server\n   String ciphertextString = cipherTextIvMac.toString();\n```\n\n## Decrypt\n\n```java\n  //Use the constructor to re-create the CipherTextIvMac class from the string:\n  CipherTextIvMac cipherTextIvMac = new CipherTextIvMac (cipherTextString);\n  String plainText = AesCbcWithIntegrity.decryptString(cipherTextIvMac, keys);\n```\n\n## Storing Keys\n\nOnce you've generated a random key, you naturally might want to store it. This\nmay work for some use cases, but please be aware that if you store the key in\nthe same place that you store the encrypted data, your solution is not\ncryptographically sound since the attacker can just get both the key and the\nencrypted text. Instead, you should use either the [Keystore\ninfrastructure](http://developer.android.com/training/articles/keystore.html)\nor consider generating the key from a passphrase and using that to encrypt the\nuser data.\n\nIf despite the above you still want to store the key, you can convert the keys\nto a string using the included functions and store them in preferences or\nSQLite.\n\nNote that if you hard-code keys or passphrases, or generate them from a static\nvalue, you will likely get an [error message from the Android security scanner](https://support.google.com/faqs/answer/9450925).\n\n# License\n\nThe included MIT license is compatible with open source or commercial products.\nTozny also offers custom support and licensing terms if your organization has\ndifferent needs. Contact us at [info@tozny.com](mailto:info@tozny.com) for more\ndetails.\n\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Ftozny%2Fjava-aes-crypto","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Ftozny%2Fjava-aes-crypto","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Ftozny%2Fjava-aes-crypto/lists"}