lcimeni
commented
2 years ago Update: The risk severity (CVSS score) of this finding has been modified from 3.7 to 9 by Lorenz Cimeni.
Powered by NowSecure Platform
Open lcimeni opened 2 years ago
lcimeni
commented
2 years ago Update: The risk severity (CVSS score) of this finding has been modified from 3.7 to 9 by Lorenz Cimeni.
Powered by NowSecure Platform
Finding Description
The application was found to use weak cryptographic encryption modes during app runtime. These encryption modes are usually easily reverse engineered, so the data may be compromised by an observer. An attacker with access to the encrypted data may be able to determine that the data that was obfuscated.
Evaluation Criteria
It is a best practice not to use insecure methods or modes for encrypting data. However, not all companies require this. The context table below should be evaulated against the standards for the app. Also, please note there is a separate finding specifically for sensitive data being encrypted using these methods.
Steps to Reproduce
While the app is running on a physical device, CommonCrypto API requests are examined and insecure or unsuitable encryption modes are flagged.
Remediation Resources
Change to using encryption modes that are secure. Guidance can be found for Android and from Apple.
For more guidance on best practices in picking strong cryptography, please see OWASP's Cryptographic Storage Cheat Sheet.
Risk and Regulatory Information
Severity: low CVSS: 3.7
Application
See more detail in the NowSecure Report