Reputation: 111
Are there advantages for using SpongyCastle over BouncyCastle, if targeting Android 3.0 and later?
If I understand the situation correctly, SpongyCastle is a renaming of BouncyCastle and it was created to give people the ability to include a new version of BouncyCastle on Android, since just including the latest BouncyCastle jar would cause conflicts with the old and stripped down version of BouncyCastle that came with Android.
However, apparently since version 3.0 (in 2011 - 6 years ago!) the Android BouncyCastle package was renamed to com.android.org.bouncycastle, so that now if you included the regular org.bouncycastle, this would no longer conflict with the pre-packaged stripped down BouncyCastle, and you could use the newest version that way.
What confuses me is that it seems like the SpongyCastle project is still quite active and whenever I search for "BouncyCastle on Android" or anything related, I get a lot of results from the last couple of years which recommend using SpongyCastle, citing the class conflict issues as the reasoning, even though they were (apparently) resolved all the way back in 2011. Another argument I've seen that makes more sense to me, is that SpongyCastle is more backwards compatible, since you won't get any issues on devices running earlier versions Android than 3.0.
So my question is, are there still any benefits to using SpongyCastle over BouncyCastle, if you are not targeting earlier versions of Android than 3.0?
Upvotes: 9
Views: 4487
Answers (1)
Reputation: 719289
Here's what the author of Spongy Castle wrote on this:
Why might Spongy Castle not be obsolete?
- pre-Android 3.0 devices are still in active use. There are higher areas of use in poorer countries, and those people still need secure cryptography. Signal (not a SC user, so far as I'm aware) currently still supports Android 2.3 and up.
- even on post-Android 3.0 devices, device manufacturers are not above carelessly bundling libraries, it's possible that Bouncy Castle may still be bundled on some obscure devices.
- Although the version of Bouncy Castle bundled with Android has a changed package name, it still has "BC" as the provider name, leaving some ambiguity as to the choice of implementation when adding your own copy of Bouncy Castle to the app and choosing "BC" as your provider.
But he then he went on to note that Spongy Castle releases often lag behind the Bouncy Castle releases ... for reasons which are entirely understandable.
In short, for an Android device the only possible benefits in using Spongy Castle would appear to be to deal with cases where your application needs a recent Bouncy Castle functionality, but device manufacturers have bundled an old version.
Upvotes: 2
Related Questions
- Why do people use bouncycastle instead of Java's built in JCE provider? What is the difference?
- Can the Bouncy Castle cryptography API be used in Android?
- Spongycastle provider not working on Android
- Can I use latest BouncyCastle provider on Android?
- BouncyCastle on Android
- Use of spongy castle in android
- Android PrivateKey to BouncyCastle PrivateKeyInfo?
- Bouncycastle - Native RSA vs. RSA
- Android RSA Keypair Generation - Should I use Standard Java/Bouncy Castle/Spongy Castle/JSch/Other?
- Bouncycastle (Spongycastle) key import and use on android