java - Double encryption

Question

I am using https://github.com/simbiose/Encryption to encrypt data in my android app.

I thought of double encryption.

String key = "key";
String salt = "someSalt";
byte[] iv = new byte[16];
Encryption encryption = Encryption.getDefault(key, salt, iv);

String encrypted = encryption.encryptOrNull("Some String");

Log.d("Encrypto", "Encryption Level 1 : "+encrypted);

encrypted = encryption.encryptOrNull(encrypted);

Log.d("Encrypto", "Encryption Level 2 : "+encrypted);

String decrypted = encryption.decryptOrNull(encrypted);

Log.d("Encrypto", "Decryption Level 2 : "+decrypted);

decrypted = encryption.decryptOrNull(decrypted);

Log.d("Encrypto", "Decryption Level 1 : "+decrypted);

This works perfectly, but is it recommended?

1. yes this increases the memory usage to store the encrypted string, but if it makes it more secure, using more memory is pretty okay.
2. Will i face some problems if i do this ?

Main question: is this a good encryption library? if not please recommend me a better one

Answer 1

Do you really need to encrypt the data?

https://www.schneier.com/blog/archives/2015/06/why_we_encrypt.html

Why do you want double encryption? There are better ways - for example, a longer key - to add resistance against people performing offline brute force attacks on cipher text.

"Security through obscurity" is a no-no. Go back to the basics of what you need (key length, block size, mode of encryption, when to use a symmetric or asymmetric key) etc.

As you are writing an Android app, I would question..

• The library is written in Java and makes Java system calls. That will be simple to reverse / hook system calls. Does adding a longer key help harden your app when you can dump the key by hooking an Android system call?
• your Android Java code is de-compiled to "almost" source code or back to Smali code - then modified - and then re-compiled?
• How are you intending to distribute the key ? Run-time or statically baked into the code? Is it random or the same key for all app users?
• Can you leverage Android hardware to persist and protect your key, instead of just having the key in software? https://source.android.com/security/keystore/

If it was my app && I cared about Confidentiality I would use hardware backed encryption (accepting that some older Android devices might not support it) OR use a Native (C) encryption library. The latter gets you wide device support but introduces other issues (JNI boundary, code lifting).

In summary, introducing encryption sounds simple. But do you really need it when it just highlights something interesting is being protected?

PS - You may want to re-post this question on: https://security.stackexchange.com/