The wallet-app encrypts internal data, the qr code and tan using the keystore. The chosen encryption scheme in class SecurityKeyWrapper and DefaultKeyStoreCryptor is ECB.
ECB produces identical encrypted data and is thus not recommended for multi block data.
There is also no documentation of the security model this security features is modeled for so its not possible to say if the feature is now faulty. While potentially not a meaningful issues for the presented data its not best practices and might be an issues later if template extend the use case.
Possible Fix
Use a more secure encryption scheme in the wallet app.
Impact
Wallet-app data storage encryption scheme slightly leaks protected data.
Description
The wallet-app encrypts internal data, the qr code and tan using the keystore. The chosen encryption scheme in class SecurityKeyWrapper and DefaultKeyStoreCryptor is ECB. ECB produces identical encrypted data and is thus not recommended for multi block data. There is also no documentation of the security model this security features is modeled for so its not possible to say if the feature is now faulty. While potentially not a meaningful issues for the presented data its not best practices and might be an issues later if template extend the use case.
Possible Fix
Use a more secure encryption scheme in the wallet app.
Impact
Wallet-app data storage encryption scheme slightly leaks protected data.