Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

"Your app contains unsafe cryptographic encryption patterns" - How I can get rid of this warning?

Few days ago, In "Pre-launch report for APK" in Google Play Console, it start to flag me

Unsafe encryption

Detected in APK ???

Your app contains unsafe cryptographic encryption patterns. Please see this Google Help Centre article for details.

Vulnerable classes:

c.j.a.s.J.b

enter image description here


However, since the early day of APK, I do not change anything in encryption code/ description code. Hence, I'm not sure why Google starts to warn me on recent APK?

Any idea how to resolve? As, the information for vulnerable classes c.j.a.s.J.b is not helpful.

I try to use Proguard + mapping.txt to retrace c.j.a.s.J.b but able to figure what class is that.

Any idea how I can get rid of Google security warning?

like image 302
Cheok Yan Cheng Avatar asked Sep 19 '19 02:09

Cheok Yan Cheng


1 Answers

The google play suggests with vulnerable classes with the function name, you can see in the dialog.

Review your app for statically computed keys, initialization vectors, and/or salts that are used in cryptographic encryption operations and ensure that these values are constructed safely

For example :

public byte[] encryptionUtil(String key, String iv, byte[] plainText) {
    Cipher cipher = Cipher.getInstance(“AES/GCM/NoPadding”);
    SecretKeySpec keySpec = new SecretKeySpec(key.getBytes(), “AES”);
    GCMParameterSpec paramSpec = new GCMParameterSpec(256, iv.getBytes());
    cipher.init(Cipher.ENCRYPT_MODE, keySpec, paramSpec);
    return cipher.doFinal(plainText);
  }

And you are calling a function as:

byte[] cipherText = encryptionUtil(“abcdef...”, “010203040506”, plainText);

Here your encryption key “abcdef...” is provides as a static string. A statically computed value is a value that is the same on every execution of your app. Statically computed cryptographic values can be extracted from your app and used to attack your app’s encrypted data.

So you can use EncryptedSharedPreferences to store locally data

Reference link https://developer.android.com/reference/androidx/security/crypto/EncryptedSharedPreferences

OR

Jetpack Security

For more details: Remediation for Unsafe Cryptographic Encryption

like image 95
Vikram Kodag Avatar answered Nov 12 '22 23:11

Vikram Kodag