The Conscrypt module accelerates security improvements and improves device security without relying on OTA updates. It uses Java code and a native library to provide the Android TLS implementation as well as a large portion of Android cryptographic functionality such as key generators, ciphers, and message digests. Conscrypt is available as an open source library, though it has some specializations when included in the Android platform.
The Conscrypt module uses BoringSSL, a native library that is a Google fork of OpenSSL and which is used in many Google products for cryptography and TLS (most notably Google Chrome). BoringSSL doesn't have official releases (all users build from head) and makes no guarantees around API or ABI stability.
Changes in Android 10
Android 9 doesn't include an Android-specific public API for Conscrypt but
instead uses a security provider that implements standard classes for Java
Cryptography Architecture (JCA) including Cipher and MessageDigest, and
Java Secure Socket Extension (JSSE), including SSLSocket and SSLEngine.
Users interact with those classes and some nonpublic Conscrypt APIs are used
libcore or frameworks code.
Android 10 adds a small number of public API methods
android.net.ssl to access Conscrypt functionality that isn't
exposed by the classes under
10 also includes a slimmed copy of
Bouncy Castle to provide lower-popularity cryptographic
tools as part of Android Runtime (not included in the Conscrypt module).
Format and dependencies
The Conscrypt module is distributed as an
APEX file that includes the Conscrypt
Java code and a Conscrypt native library that dynamically links to Android NDK
libraries (such as
liblog). The native library also includes a
copy of BoringSSL that has
Cryptographic Algorithm Validation Program (CAVP)
certification on AArch64. This copy has not been validated
Cryptographic Module Validation Program (CMVP).
The Conscrypt module exposes the following APIs:
- Public APIs are extensions of classes and interfaces in
javax.*, plus classes under
android.net.ssl.*. External app code doesn't call Conscrypt directly. Platform API standards ensure that these APIs remain backward- and forward-compatible.
- Core platform APIs are hidden APIs used by the framework
to access nonpublic functionality. These are relatively limited; the largest
NetworkSecurityConfig, which extends the Conscrypt trust manager (the component that verifies certificates) to implement the network security configuration feature.
- Intra-core APIs are limited to zero-argument constructors called reflectively by the JCA and JSEE machinery.