1

Android's MessageDigest page says MD5 is supported from day one - https://developer.android.com/reference/java/security/MessageDigest

But the MessageDigest.getInstance("MD5") method can throw NoSuchAlgorithmException and there is no getMD5Instance method which would have made it guaranteed. Is there any chance MD5 won't be available at least in newer android versions later than 23 (Marshmallow)? Thanks for replies.

There is another thread which discusses this but is 7 years old with some occurrences reported on android 2.x devices (Gingerbread). Is MD5 guaranteed to be available for use with MessageDigest in Android?

arunskrish
  • 417
  • 6
  • 13

1 Answers1

1

But the MessageDigest.getInstance("MD5") method can throw NoSuchAlgorithmException

Correct. That is how the Java JDK defines MessageDigest. This class is not custom for the Android SDK.

there is no getMD5Instance method which would have made it guaranteed

Correct. Presumably, the JDK is set up to be able to discontinue obsolete algorithms in the future.

Is there any chance MD5 won't be available at least in newer android versions later than 23 (Marshmallow)?

It would surprise me if many current devices lack MD5 support. However:

  • With 26,000+ device models, and with device manufacturers that can do what they want, we cannot assume that everything supports MD5; and

  • We do not know what the future might bring — it is possible that MD5 will be removed for one reason or another

CommonsWare
  • 986,068
  • 189
  • 2,389
  • 2,491
  • Thanks much @CommonsWare, so device manufacturers could modify provider which might not have MD5 support. May be using SHA256 is a little more safer in this regard. This is a tough one but is including a provider library like bounty castle within the app recommended? From what you said and the android page, getInstance() not finding any provider for MD5 or SHA256 would be extremely rare and can be discounted? – arunskrish Feb 06 '21 at 21:33
  • 1
    @arunskrish: "May be using SHA256 is a little more safer in this regard" -- it has the advantage of being a newer algorithm. MD5 is rather old, and it is not considered to be cryptographically secure anymore. "is including a provider library like bounty castle within the app recommended?" -- there may be a lighter-weight solution than that. Also, Android contains a bit of Bouncy Castle in it (or at least it used to), which is why somebody needed to fork it into Spongy Castle to avoid name conflicts. But, if MD5 is absolutely essential, you should bundle an implementation into your app. – CommonsWare Feb 06 '21 at 21:38