Google Security and trust error: Unsafe cipher mode

RocketChat / Rocket.Chat.ReactNative

Rocket.Chat mobile clients

https://rocket.chat

MIT License

2.03k stars 1.18k forks source link

Google Security and trust error: Unsafe cipher mode #3525

Closed daniilr closed 2 years ago

daniilr commented 2 years ago

Description:

I am getting Google Play Security and trust error:

Unsafe cipher mode. Your app contains a less secure encryption mode. Please see this Google Help Centre article for details.

com.securepreferences.SecurePreferencesOld->encrypt

Environment Information:

I am building experimentalPlayRelease from single-server branch (commit b564eddcfd40bca3b0573b019b91bc23800f7ae0)

Steps to reproduce:

Build an app with experimentalPlayRelease target. Upload bundle in google play store.

Expected behavior:

App successfully complies with google security requirements

Actual behavior:

It doesn't

diegolmello commented 2 years ago

Hey, @daniilr. Thanks for letting us know. We didn't get this warning. Can you screenshot what Google says? (not the article, but on Google Play console)

daniilr commented 2 years ago

Hi, @diegolmello. Thanks for quick response Sure:

I have additionally found that this issue is caused by react-native-mmkv-storage dependency https://github.com/ammarahm-ed/react-native-mmkv-storage/blob/v0.3.5/android/src/main/java/com/ammarahmed/mmkv/Constants.java#L11 https://github.com/ammarahm-ed/react-native-mmkv-storage/blob/v0.3.5/android/src/main/java/com/ammarahmed/mmkv/SecureKeystore.java#L257

I have prepared an update to your patch for that library that implements recommended changes to the cryptography. I have already tested it locally and now waiting for an updated report from google. If it works, I will create a pull request with a fix. Although it's still not fixed in a dependency, I believe we should fix the issue here in RocketChat as it's already patched and fixed to a specific version

diegolmello commented 2 years ago

It'd be better if you already work on updating the lib to latest version.

daniilr commented 2 years ago

Unfortunately, the patch doesn't apply to the latest version automatically. Besides that, the latest version is still using weak cryptography.

cuongnn-smartosc commented 2 years ago

Any updates on this, I used version 4.25 and it still having this issue.

Thanks

diegolmello commented 2 years ago

Might be fixed by #3634

diegolmello commented 2 years ago

We released a version on our Experimental app containing #3634 and there was no report from Google Play pointing to the cipher mode. I'm going to keep it open once you folks try it as well.