The Android implementation is based on OpenSSL 1.1.1q. This version was released in October 2022 and is somewhat outdated. It's possible to build OpenSSL with the latest ndkports or use the binaries from KDAB, but this requires actions from upstream.
The iOS implementation is based on the pod OpenSSL-Universal, which supports recent OpenSSL versions(3.1.5 and 1.1.1v).
The supported ciphers for react-native-quick-crypto are the same for Android 6.0/12/13 and iOS 15.0. (2024.06.25: Well I found the supported ciphers are hard coded in the source code)
Supported ciphers
des-ecb
des
des-cbc
des3
des-ede3-cbc
des-ede3
des-ede-cbc
des-ede
aes-128-ecb
aes-192-ecb
aes-256-ecb
aes-128-cbc
aes-192-cbc
aes-256-cbc
aes128
aes192
aes256
aes-128-cfb
aes-192-cfb
aes-256-cfb
aes-128-cfb8
aes-192-cfb8
aes-256-cfb8
aes-128-cfb1
aes-192-cfb1
aes-256-cfb1
aes-128-ofb
aes-192-ofb
aes-256-ofb
aes-128-ctr
aes-192-ctr
aes-256-ctr
aes-128-gcm
aes-192-gcm
aes-256-gcm
I think we should use react-native-quick-crypto for its consistency and platfrom-independence across different Android SDKs and iOS versions. For example, I just found the key derivation algorithm PBKDF2withHmacSHA256, used in sjcl, is not supported in javax.crypto on Android until API 26+, whereas react-native-quick-crypto supports it. If no significant drawbacks are found in the future, I will advocate for using this library.
Honestly you can ignore Nextcloud E2EE as what they did it not up to standards. Maybe Signal or Proton would be worth looking at for example.
One reason things are slow in React Native is that crossing the bridge between the native and JS part is very slow, so maybe you can get better performance by avoiding the bridge. For example, by encrypting/decrypting and saving to database all on the native side. I don't know how easy it would be to do this as that might require significant changes of the app architecture
I suspect the slowest part is dealing with attachments rather than notes and these are just files in storage and don't need the database. Maybe this could be the first step?
We use several old and unmaintained libraries that might need to be updated before switching to the New Architecture (tracking spreadsheet).
We use rn-fetch-blob, react-native-fs, and react-native-device-info, which are listed as not supporting the New Architecture. Other libraries, like react-native-quick-actions and react-native-sqlite-storage are also unmaintained and thus unlikely to support the New Architecture.
That's what they say but when I switched to it there was many issues with it. But yes it would be good eventually to find replacements so that we can switch to the bridgeless architecture
Since when are we using this? I created react-native-version-info since we needed a way to get access to the version info data on mobile. Anyway, if react-native-device-info is now used, we can get rid of react-native-version-info. I'm pretty sure that the device info module also has functions to retrieve the CFBundleShortVersionString and versionName.
The first time it was referenced in the git commit history was in e865a5d7c61d2dc9bf8f1409e3f4bbaeb140c1f8 (2020), but it's possible it has been removed and re-added since then.
I think this is something that has to be done at one point anyway. I understand that it is annoying, but using unmaintained libs/modules seems quite dangerous to me.
Maybe one release can be dedicated to upgrading all libs.
I just found it's still possible to do the AEC-CCM encryption/decryption in react-native-quick-crypto, based on my test. So we can still reach Goal #2 on mobile clients.