"Your app contains unsafe cryptographic encryption patterns" - How I can get rid of this warning?

Question

Few days ago, In "Pre-launch report for APK" in Google Play Console, it start to flag me

Unsafe encryption

Detected in APK ???

Your app contains unsafe cryptographic encryption patterns. Please see this Google Help Centre article for details.

Vulnerable classes:

c.j.a.s.J.b

---

However, since the early day of APK, I do not change anything in encryption code/ description code. Hence, I'm not sure why Google starts to warn me on recent APK?

Any idea how to resolve? As, the information for vulnerable classes c.j.a.s.J.b is not helpful.

I try to use Proguard + mapping.txt to retrace c.j.a.s.J.b but able to figure what class is that.

Any idea how I can get rid of Google security warning?

Answer 1

The google play suggests with vulnerable classes with the function name, you can see in the dialog.

Review your app for statically computed keys, initialization vectors, and/or salts that are used in cryptographic encryption operations and ensure that these values are constructed safely

For example :

public byte[] encryptionUtil(String key, String iv, byte[] plainText) {
    Cipher cipher = Cipher.getInstance(“AES/GCM/NoPadding”);
    SecretKeySpec keySpec = new SecretKeySpec(key.getBytes(), “AES”);
    GCMParameterSpec paramSpec = new GCMParameterSpec(256, iv.getBytes());
    cipher.init(Cipher.ENCRYPT_MODE, keySpec, paramSpec);
    return cipher.doFinal(plainText);
  }

And you are calling a function as:

byte[] cipherText = encryptionUtil(“abcdef...”, “010203040506”, plainText);

Here your encryption key “abcdef...” is provides as a static string. A statically computed value is a value that is the same on every execution of your app. Statically computed cryptographic values can be extracted from your app and used to attack your app’s encrypted data.

So you can use EncryptedSharedPreferences to store locally data

Reference link https://developer.android.com/reference/androidx/security/crypto/EncryptedSharedPreferences

OR

Jetpack Security

For more details: Remediation for Unsafe Cryptographic Encryption