Do you really need to encrypt the data?
https://www.schneier.com/blog/archives/2015/06/why_we_encrypt.html
Why do you want double encryption? There are better ways - for example, a longer key - to add resistance against people performing offline brute force attacks on cipher text.
"Security through obscurity" is a no-no. Go back to the basics of what you need (key length, block size, mode of encryption, when to use a symmetric or asymmetric key) etc.
As you are writing an Android app, I would question..
- The library is written in Java and makes Java
system calls. That will be simple to reverse / hook system calls. Does adding a longer key help harden your app when you can dump the key by hooking an Android system call?
- your Android Java code is de-compiled to "almost" source code or back
to Smali code - then modified - and then re-compiled?
- How are you intending to distribute the key ? Run-time or statically baked into the code? Is it random or the same key for all app users?
- Can you leverage Android hardware to persist and protect your key, instead of just having the key in software? https://source.android.com/security/keystore/
If it was my app && I cared about Confidentiality I would use hardware backed encryption (accepting that some older Android devices might not support it) OR use a Native (C) encryption library. The latter gets you wide device support but introduces other issues (JNI boundary, code lifting).
In summary, introducing encryption sounds simple. But do you really need it when it just highlights something interesting is being protected?
PS - You may want to re-post this question on: https://security.stackexchange.com/
与恶龙缠斗过久,自身亦成为恶龙;凝视深渊过久,深渊将回以凝视…