
Android 4.4 KitKat and the Secret Key Factory - DanielRibeiro
http://www.infoq.com/news/2013/12/KitKat-SecretKeyFactory
======
brian_cloutier
This link adds nothing to the original content, which can be found at [1].

Neither mentions that this will not break apps which were built for an older
OS and are simply run on KitKat. In order the the app to break the developer
must specifically change the API their app targets to KitKat without changing
which key generation algorithm they use. I wish the docs [2] mentioned this
change, but presumably if you're developing apps you'll be following the blog.

It would be very cool, and it's certainly within Google's capabilities, if
Google emailed developers using PBKDF2WithHmacSHA1 to notify them. That would
close the loop and prevent anybody from being caught by the breaking change.

[1] [http://android-developers.blogspot.com/2013/12/changes-to-
se...](http://android-developers.blogspot.com/2013/12/changes-to-
secretkeyfactory-api-in.html) [2]
[http://developer.android.com/reference/javax/crypto/SecretKe...](http://developer.android.com/reference/javax/crypto/SecretKeyFactory.html)

------
RyanZAG
How does this kind of stupidity get in there in the first place? When making a
secure secret key, who in their right mind would decide to only use the low 8
bits?

