Open naskovai opened 6 years ago
As part of some research about the common crypto mistakes that developers make, I noticed that your application has one of them.
In EncryptionUtil.getCipher you're initializing a Cipher instance with a static IV which is insecure.
One possible solution would be to generate the initialization vector using SecureRandom:
byte[] iv = new byte[16]; new SecureRandom().nextBytes(iv);
As part of some research about the common crypto mistakes that developers make, I noticed that your application has one of them.
In EncryptionUtil.getCipher you're initializing a Cipher instance with a static IV which is insecure.
One possible solution would be to generate the initialization vector using SecureRandom: