The application was found to use weak cryptographic algorithms during app runtime.
These methods are usually easily reverse engineered, so the data is not really protected very well.
An attacked with access to the encrypted data could easily see the data that was obfuscated.
Evaluation Criteria
It is a best practice not to use insecure methods to encrypt data.
However, not all companies require this.
The context table below should be evaluated against the standards for the app.
Also, please note there is a separate finding specifically for sensitive data being encrypted using these methods.
Steps to Reproduce
While the app is running on a physical device, javax.crypto, BouncyCastle and SpongyCastle API requests are examined to detect usage of insecure encryption algorithms, encryption modes, hashing algorithms or insufficient key derivation rounds.
Remediation Resources
Change to using algorithms that are secure. Guidance can be found for Android and from Apple.
Finding Description
The application was found to use weak cryptographic algorithms during app runtime. These methods are usually easily reverse engineered, so the data is not really protected very well. An attacked with access to the encrypted data could easily see the data that was obfuscated.
Evaluation Criteria
It is a best practice not to use insecure methods to encrypt data. However, not all companies require this. The context table below should be evaluated against the standards for the app. Also, please note there is a separate finding specifically for sensitive data being encrypted using these methods.
Steps to Reproduce
While the app is running on a physical device, javax.crypto, BouncyCastle and SpongyCastle API requests are examined to detect usage of insecure encryption algorithms, encryption modes, hashing algorithms or insufficient key derivation rounds.
Remediation Resources
Change to using algorithms that are secure. Guidance can be found for Android and from Apple.
For more guidance on best practices in picking strong cryptography, please see OWASP's Cryptographic Storage Cheat Sheet.
Risk and Regulatory Information
Severity: low CVSS: 3.7
Application
See more detail in the NowSecure Report