Conscrypt

The Conscrypt module accelerates security improvements and improves device security without relying on OTA updates. It uses Java code and a native library to provide the Android TLS implementation as well as a large portion of Android cryptographic functionality such as key generators, ciphers, and message digests. Conscrypt is available as an open source library, though it has some specializations when included in the Android platform.

The Conscrypt module uses BoringSSL, a native library that is a Google fork of OpenSSL and which is used in many Google products for cryptography and TLS (most notably Google Chrome), in conjunction with Conscrypt code (both Java and native code). BoringSSL doesn't have official releases (all users build from head) and makes no guarantees around API or ABI stability.

Changes in Android 10

Android 9 doesn't include an Android-specific public API for Conscrypt but instead uses a security provider that implements standard classes for Java Cryptography Architecture (JCA) including Cipher and MessageDigest, and Java Secure Socket Extension (JSSE), including SSLSocket and SSLEngine. Users interact with those classes and some nonpublic Conscrypt APIs are used by libcore or frameworks code.

Android 10 adds a small number of public API methods in android.net.ssl to access Conscrypt functionality that isn't exposed by the classes under javax.net.ssl. Android 10 also includes a slimmed copy of Bouncy Castle to provide lower-popularity cryptographic tools as part of Android Runtime (not included in the Conscrypt module).

Format and dependencies

The Conscrypt module (`com.android.conscrypt`) is distributed as an APEX file that includes the Conscrypt Java code and a Conscrypt native library that dynamically links to Android NDK libraries (such as liblog). The native library also includes a copy of BoringSSL that has has been validated (Certificate #3753) through NIST's Cryptographic Module Validation Program (CMVP).

Note: The Conscrypt module includes /external/conscrypt and /external/boringssl, but doesn't include /external/bouncycastle.

The Conscrypt module exposes the following APIs:

Public APIs are extensions of classes and interfaces in packages under java.* and javax.*, plus classes under android.net.ssl.*. External app code doesn't call Conscrypt directly. Platform API standards ensure that these APIs remain backward- and forward-compatible.
Core platform APIs are hidden APIs used by the framework to access nonpublic functionality. These are relatively limited; the largest user is NetworkSecurityConfig, which extends the Conscrypt trust manager (the component that verifies certificates) to implement the network security configuration feature.
Intra-core APIs are limited to zero-argument constructors called reflectively by the JCA and JSEE machinery.