As a mobile developer, your biggest concern is the security of user data (and your own, of course). In the quest for security, your biggest weapon is encryption. Encrypt something, and you can go for a nap with the relieving knowledge that what you encrypted will remain safe. Unless you happened to use DES encryption.
Not all algorithms are created equal
As developers, we are conditioned to think in terms of libraries that just get it done. Call the Mailgun API and know that the email will be delivered; call the S3 functions and you know your file will be uploaded to the right place – it seems like the simple act of calling a function is enough.
Unfortunately, security doesn’t allow us this luxury of nonchalance. There are two simple reasons for this: 1) Too much is at stake, and 2) Not all algorithms are good for encrypting data. Data Encryption Standard (DES) sounds like something really sophisticated, but if you even just scratch the surface, the flaws are visible.
Origins of DES Encryption
To understand why DES sucks so much, take a look at its history. In the 1970s (yes, the ’70s!), The National Bureau of Standards, U.S., was concerned about the security of data (understandably so). And so they invited proposals for a suitable encryption algorithm under the umbrella term of Data Encryption Standard (DES). One of the participants was IBM, which designed the accepted version of the algorithm. DES was conceived as a symmetric encryption algorithm using 56-bit keys.
Why DES is hopeless today
By today’s standards, DES is pathetic. There are a number of reasons for that:
- 56-bit keys are too small when the power of today’s computers is taken into account. Consider the more advanced AES standard, which uses 128- and 256-bit keys.
- Symmetric encryption has more or less fallen out of fashion. Sending the key over the same channel which you later intend to encrypt is just plain silly. This is why public-key encryption has replaced everything else today.
Okay, so just how bad DES is? Even as far as back as 1999, the DES algorithm was demonstrably broken. A machine named Deep Crack was designed, which could break a DES key in just over 22 hours. Shocking, to say the least. Today, this time would run into minutes, or maybe even seconds if cloud infrastructure is used.
Just don’t use DES
That’s all we have to say. Simply don’t use DES in your mobile apps (or any apps, for that matter) and you’ll be fine. DES is a historical fossil that’s only of academic interest today. The industry moved on long ago, and so should you.
Ensure you are using encryption that actually secures your mobile apps.