Google’s Android P will have Cryptography changes

Google recently debuted and released the first developer preview of Android P a few days ago. The Android developers at Google needed to specifically call out some backward-incompatible changes they plan to make to the cryptographic capabilities in Android P, which is seen in the developer preview.

Changes to providers are as follows:

Starting in Android P, Google plans to deprecate some functionality from the BC provider that's duplicated by the AndroidOpenSSL (also known as Conscrypt) provider. This will only affect applications that specify the BC provider explicitly when calling getInstance() methods.

To me more specific, Google said that they aren’t doing this because they are concerned about the security of the implementations from the BC provider. They rather did this because having duplicated functionality imposes additional costs and risks while not providing much benefit.

If developers don't specify a provider in your getInstance() calls, no changes are required.

If you specify the provider by name or by instance—for example, Cipher.getInstance("AES/CBC/PKCS7PADDING", "BC") or Cipher.getInstance("AES/CBC/PKCS7PADDING", Security.getProvider("BC"))—the behavior you get in Android P will depend on



what API level your application targets.

For apps targeting an API level before P, the call will return the BC implementation and log a warning in the application log. For apps targeting Android P or later, the call will throw NoSuchAlgorithmException.

Google states, that in order to resolve this, developers should stop specifying a provider and use the default implementation.

In a later Android release, Google also plans to remove the deprecated functionality from the BC provider entirely. Once removed, any call that requests that functionality from the BC provider (whether by name or instance) will throw NoSuchAlgorithmException.

Removal of the Crypto provider

In a previous post, Google had announced that the Crypto provider was deprecated beginning in Android Nougat. Since then, any request for the Crypto provider by an application targeting API 23 (Marshmallow) or before would succeed, but requests by applications targeting API 24 (Nougat) or later would fail.

In Android P, Google plans to remove the Crypto provider entirely. Once removed, any call to SecureRandom.getInstance("SHA1PRNG", "Crypto") will throw NoSuchProviderException. Please ensure your apps have been updated.