Comparison of string encryption performance using symmetric methods in Android
In our daily lives, there is a great deal of buzz about data protection and security. We would never want our information to get into anyone else’s hands, especially someone with wrong intentions.
I had a similar case where I had to store a lot of string content locally. So I wanted to know which algorithm would have the least performance impact but would still suffice as a basic encryption for my data.
So while researching about the mehtods, I learnt about cncryption , cncoding and hashing. Unlike encryption, Encoding and Hashing are not used for encryption purposes. It is a technique in which information is translated from one medium into another so that various systems can recognize and absorb it.
Encryption is the method of encoding information so that data can be accessed only by users who have authorization. Encryption does not itself preclude attacks from intrusion and eavesdropping, but denies the interceptor intelligible information.
There are two types of encryption:
The encryption and decryption keys are the same in this encryption technique. The key is often referred to as a shared secret since the secret key must be shared by the sender or computer system doing the encryption with someone allowed to decrypt the message. Uh. E.g. Advanced Encryption (AES)
The encryption and decryption keys are distinct in this encryption technique. For others to use and encrypt data, the encryption key is released, although only the receiving user has access to the decryption key that decrypts the encrypted data. Uh. E.g. The Adleman-Shamir-Rivest (RSA)
In this article, we put together a comparision between encoding methods, blowfish, AES and cha-cha encryption methods. For each methods, we have the options to include padding and as well as choose block patterns.
Glossary of some methods:
The base64 method is not really an encryption but rather it is a technique to convert the string into a medium where other systems are able to recognise it without loss in it. I have added it here just to compare it as a way of masking our strings, which might not be understandable by a very simple user.
Shifting is a another form of encoding, where we we just shift the values of our characters to a certain extent, so that user see intangible characters. You do have to store the shifting amount, which might be accessible by hacker during reverse engineering.
XOR method is a form of encryption used to encrypt data and is difficult to break by brute force, i.e. generating random encryption keys to match the correct one. It is infact used by many encryption algorithms under the hood. With this logic, by applying the bitwise XOR operator to any character using a given key, a string of text can be encrypted. To decrypt the output, the cipher will be extracted by simply reapplying the XOR function with the key.
The chacha method is only available for Android by default natively from SDK 28 but we still kept it here because it’s known to be reasonably fast.
AESCBC is a custom method that used some best practices for encryption as mentioned in here.
Device Info: Mi A3, Android 11
Note: I did not run the app in a unit test because I wanted to see how encryption happens in a close to real world scenario.
Each string has been encrypted and decrypted with the number of iteration to find an average time for the process.
Text length: 307
As can be seen from the graph the fastest method for encoding is using base64. Shifting does take quite a good amount of time. XOR method took a lot of time as well which I believe is due to not using native methods. The fastest method for encryption is chacha20. AES/CTR/NoPadding is pretty fast as well.
As for the decryption graph chacha decryption is even faster than decoding base64.
Longer Strings Like a blog article: 6684
Base64 encoding is still the fastest to encode. However, for encryption, AES/CTR/NoPadding is a bit faster for encrypting and decrypting. Chacha is 3rd position.
As seen in the 1st test, decryption of chacha and AES/CTR/NoPadding is faster than base64
Short String: 16
For encryption and decryption of a very short text, it seems AES/CTR/NoPadding and Chacha20 are not that well suited. I am sure cryptography experts can explain to me why that is the case, which I assume is because of some kind of overhead that is negligible in longer strings.
So in case of encrypting and decrypting a short string, AES/OFB/NoPadding or Blowfish/CTR/Nopadding would be much better.
I think based on my understanding and performance analysis, AES/CTR/NoPadding is a good choice for all android versions. If we are supporting SDK 28 and up then we can utilise Chacha Algorithm, which is very very impressive. If saving the encryption is the most important thing, then one should consider asssymettric encryption like RSA or others.
One should not use base64 for hiding strings as with a similar performance we are able to encrypt our strings using encryption.
However, even for symmetric encryption, keeping the passphrase secure in the most important part. Lets see in the next section ways we can improve that.
Tips for storing the passphrase
- In order for hackers not to obtain them using password stuffing or brute-forcing, keys should be complicated and well-protected. To distribute keys and store keys and keep them out of the wrong hands, you should consider a secure process. Keys should not be transmitted over the network in plain text or stored as a string in the app.
- Instead of using a string as a passphrase, use a value that is unique to the local device, so that hackers would not detect that particular values as a passphrase.
- Better yet, use the local static value, apply some other encoding or encryption method and then use that converted string as a passphrase for the actual encryption
- Store the passphrase in keystore
Thanks for reading my article.
Here is the source code I used to compare the encryptions. Would love to see how the performance changes with different devices and OSs.