High attention point related to "Padding Oracle", reported by MobSF, when using encryption mode, "AES/CBC/PKCS7Padding", in class "StorageCipher18Implementation.java".

juliansteenbakker / flutter_secure_storage

A Flutter plugin to store data in secure storage

https://pub.dartlang.org/packages/flutter_secure_storage

BSD 3-Clause "New" or "Revised" License

1.13k stars 387 forks source link

High attention point related to "Padding Oracle", reported by MobSF, when using encryption mode, "AES/CBC/PKCS7Padding", in class "StorageCipher18Implementation.java". #562

Closed kaganzdmr58 closed 3 months ago

kaganzdmr58 commented 1 year ago

When I analyzed the project with mobsf, it said that it found a high priority error. When I followed the error, I discovered that an old method was used in the library, can you help me to fix the error?

const AndroidOptions( encryptedSharedPreferences: true, storageCipherAlgorithm: StorageCipherAlgorithm.AES_GCM_NoPadding );

I tried this but my problem still persists, i get this error from MobSf "The App uses the encryption mode CBC with PKCS5/PKCS7 padding. This configuration is vulnerable to padding oracle attacks."

kaganzdmr58 commented 1 year ago

Error page

com/it_nomads/fluttersecurestorage/ciphers/StorageCipher18Implementation.java

StorageCipher18Implementation.java protected Cipher getCipher() throws Exception { return Cipher.getInstance("AES/CBC/PKCS7Padding"); }

STANDARTS CWE: CWE-649: Reliance on Obfuscation or Encryption of Security-Relevant Inputs without Integrity Checking OWASP Top 10: M5: Insufficient Cryptography OWASP MASVS: MSTG-CRYPTO-3

nhan7777 commented 1 year ago

I have the same issue when scan app via Qualys

abirajabi commented 1 year ago

I'm also having this issue. Is there any workaround for this problem?

ernestomar commented 1 year ago

Possible duplicate of #526?

juliansteenbakker commented 3 months ago

The fix of this issue will be discussed in #769