Conscrypt instead of Spongy/Bouncy Castle for old Android

OWASP / owasp-mastg

The Mobile Application Security Testing Guide (MASTG) is a comprehensive manual for mobile app security testing and reverse engineering. It describes the technical processes for verifying the controls listed in the OWASP Mobile Application Security Verification Standard (MASVS).

https://mas.owasp.org/

Creative Commons Attribution Share Alike 4.0 International

11.48k stars 2.26k forks source link

Conscrypt instead of Spongy/Bouncy Castle for old Android #2338

Closed rlatapy-luna closed 1 year ago

rlatapy-luna commented 1 year ago

https://github.com/OWASP/owasp-mastg/blob/156e3d2af792ee5590a22a0b871646b5af43a993/Document/0x05e-Testing-Cryptography.md?plain=1#L111

What about using Conscrypt for older API?

dependencies {
  implementation 'org.conscrypt:conscrypt-android:2.5.2'
}

Security.addProvider(Conscrypt.newProvider())

cpholguera commented 1 year ago

That should be in general the best practice. Thanks for pointing that out @rlatapy-luna

Would you mind opening a PR to update that content?