edwindwalker / edwinwalker

Personal site
0 stars 0 forks source link

NowSecure dynamic analysis: App is Using Outdated or Insecure Cryptography #11

Closed edwindwalker closed 9 months ago

edwindwalker commented 3 years ago

Finding Description

The application was found to use weak cryptographic algorithms during app runtime. These methods are usually easily reverse engineered, so the data is not really protected very well. An attacked with access to the encrypted data could easily see the data that was obfuscated.

Evaluation Criteria

It is a best practice not to use insecure methods to encrypt data. However, not all companies require this. The context table below should be evaluated against the standards for the app. Also, please note there is a separate finding specifically for sensitive data being encrypted using these methods.

Steps to Reproduce

While the app is running on a physical device, javax.crypto, BouncyCastle and SpongyCastle API requests are examined to detect usage of insecure encryption algorithms, encryption modes, hashing algorithms or insufficient key derivation rounds.

Remediation Resources

Change to using algorithms that are secure. Guidance can be found for Android and from Apple.

For more guidance on best practices in picking strong cryptography, please see OWASP's Cryptographic Storage Cheat Sheet.

Risk and Regulatory Information

Severity: low CVSS: 3.7

Application

See more detail in the NowSecure Report