The application is using static values as seeds for encryption. This means that any attacker who sees those static seeds will be able to easily decrypt that data. If the data being encrypted is sensitive information, the attacker will be able to see and exploit the information.
Steps to Reproduce
The test looks in the decompiled code of the binary for instances of static strings being used as cryptographic seeds.
Business Impact
The app is not securely encrypting data, and an attacker could easily decrypt potentially sensitive information related to the user or users of the app.
Remediation Resources
When initializing encryption, do not use a hardcoded byte array as a seed value. Instead, consider using dynamic values such as SecureRandom in order to create a secure initialization of the cryptography.
The Findings Evidence table provides the instances where a hardcoded value was used.
Finding Description
The application is using static values as seeds for encryption. This means that any attacker who sees those static seeds will be able to easily decrypt that data. If the data being encrypted is sensitive information, the attacker will be able to see and exploit the information.
Steps to Reproduce
The test looks in the decompiled code of the binary for instances of static strings being used as cryptographic seeds.
Business Impact
The app is not securely encrypting data, and an attacker could easily decrypt potentially sensitive information related to the user or users of the app.
Remediation Resources
When initializing encryption, do not use a hardcoded byte array as a seed value. Instead, consider using dynamic values such as SecureRandom in order to create a secure initialization of the cryptography. The Findings Evidence table provides the instances where a hardcoded value was used.
Risk and Regulatory Information
Severity: medium CVSS: 6.5
Application
See more detail in the NowSecure Report