Write up on Spongey castle versus bouncey castle and the other android security providers [Android]

[commjoen]

One important topic that has not been covered is the use of security providers and the patching of some of them. For instance:

• there are various versions of "altered" bouncey-castles delivered with older versions of Android and then there's spongey-castle to fix that, but it will mostly force developers to multi-dex, which is another issue (in 0x05e-Testing-Cryptography.md)
• we need to patch the security provider as https://developer.android.com/training/articles/security-gms-provider.html for your ssl traffic (a new testcase in 0x05g-Testing-Network-Communication.md )
• There is a boatload of security providers in later version of android, we need to inform both developers and pentesters on which ones are important (in 0x05e-Testing-Cryptography.md).

[commjoen]

Will create a new chapter in the platform and create a new item in the MASVS first: PR is created as https://github.com/OWASP/owasp-masvs/pull/95

[commjoen]

Once PR is accepted, I can create content in the MSTG.

[commjoen]

I will create a new testcase in 0x05g for patching the security provider. The BC/security providers will be described in 0x05e-Testing-Cryptography.md as part of the packages available with implementations on the crypto

[sushi2k]

@commjoen: Can we close this ticket? There is still one todo in the test case ""

[commjoen]

All todo's are resolved. let's close!