When your smartphone caches part of your mobile apps and data onto your SD card, that data’s vulnerable: It can be seen by other apps. Facebook’s Conceal, a set of Java APIs, will solve the problem for those developers that use them.
“What many people don’t realize is that Android’s privacy model treats the SD card storage as a publicly accessible directory,” Subodh Iyengar, a Facebook developer, wrote in a blog post on Tuesday. “This allows data to be read by any app (with the right permissions). Thus, external storage is normally not a good place to store private information.”
Conceal works by “wrapping” whatever data is written to your phone’s SD card in a layer of cryptography. Iyengar said that the technology was optimized for performance, so the crypto layer used a subset of cryptographic algorithms from OpenSSL to maximize performance. The software does use AES, however, to generate what’s known as a Message Authentication Code to validate the data package and validate that it hasn’t been tampered with.
In concept, Conceal provides something similar—but much less robust—to an encrypted store of information, such as the hardened, 256-bit AES encryption applied to a subset of the phone’s storage for BYOD technology like Samsung’s Knox. It won’t replace it, however.
So far, we haven’t been able to find a developer who has signed on to use Conceal. But Facebook has made the Conceal technology open-source, so that anyone can jump in and use it—including Facebook itself. Securing your SD card probably isn’t on your security to-do list, so this is also a good reality check: Your photos and other digital bits floating around on your phone’s card may not be for your eyes only.