When Do We Need to Provide Our Own Random Initialization Vector (IV) With Android?

Question

There are many published reports that on older versions of Android, we need to provide our own SecureRandom-based initialization vector (IV), as the default ones are not random:

• Generating IV for AES in Java
• https://medium.com/@tiensinodev/basic-android-encryption-dos-and-don-ts-7bc2cd3335ff
• https://tozny.com/blog/encrypting-strings-in-android-lets-make-better-mistakes/
• Android cryptography API not generating safe IV for AES

Conversely, as of API Level 23, if you try to provide your own IV, you also have to call setRandomizedEncryptionRequired(false) on the KeyGenParameterSpec.Builder, as otherwise you get a "Caller-provided IV not permitted when encrypting" exception.

Presumably, somewhere along the line, Android went from "awful" to "good enough" in terms of IV generation.

What is the cutoff, below which we should generate our own IV versus use Android's generated IV?

Answer 1

From a security point of view, you should always provide your own IV, because you would have total control of its randomization quality, and eliminate one potential security weak point.

Regarding the exception, in your perspective, the IV is random and good. But in Android's perspective, your provided IV is fixed and thus not good, the API does not know if it is properly randomly generated or not. So the exception "Caller-provided IV not permitted when encrypting" is just a general warning trying to warn developers against using bad IV and encourage them to use the built-in IV.

However, note that the built-in IV is just one method to build the IV. As you can see, no one assures its quality as of API Level 23, so the best practice is still to assure your own IV quality yourself.