It is documented as not supporting Android. Why? Is it just because Android's BouncyCastle's implementation is shrunk down on features and doesn't support things like KeyPairGenerator/ECDSA (Elliptic Curve Digital Signature Algorithm)?
(Here's another link on that.)
Wouldn't it be enough to just use SpongyCastle instead? Is it just because Google doesn't support SpongyCastle that its KMS Java client doesn't support Android?
https://github.com/GoogleCloudPlatform/google-cloud-java/issues/1696#issuecomment-284464059 is the most authoritative explanation I can find. Quoting garrettjonesgoogle:
We have not done any specific work to make google-cloud-java compatible with Android, and there are a number of known issues (as you have discovered). First-class Android support will come at a later date.
Our currently-recommended way is to have your own server (e.g. on App Engine) that makes the calls to GCP, and your own Android app makes calls to your server. The reason is that google-cloud-java only has support for 2LO auth (service-account-based), not 3LO auth (user-account-based). If you make calls from your android app with 2LO auth, it's theoretically possible for someone to steal your service credentials from your app and use them in their own app. This isn't a problem with 3LO, though.