nikolal
commented
1 year ago This was reported before, but it was closed:
https://github.com/microsoft/react-native-code-push/issues/2147
Closed ganesh-papola closed 5 months ago
nikolal
commented
1 year ago This was reported before, but it was closed:
https://github.com/microsoft/react-native-code-push/issues/2147
tmianhill
commented
1 year ago It was only closed because no-one fixed it.
gbashish12556
commented
1 year ago Still facing this issue.
Environment react-native-code-push version: 6.2.1 react-native version: 0.63.4 version: android 29
I also tried upgrading nimbusds to 9.8.1 which is latest version using patch-package. it did not help.
MOBSF Error:
The App uses the encryption mode CBC with PKCS5/PKCS7 padding. This configuration is vulnerable to padding oracle attacks.
Priority : high
CWE: CWE-649: Reliance on Obfuscation or Encryption of Security-Relevant Inputs without Integrity Checking OWASP Top 10: M5: Insufficient Cryptography OWASP MASVS: MSTG-CRYPTO-3
com/nimbusds/jose/crypto/AESCBC.java com/nimbusds/jose/jca/JCASupport.java
kennethnokman
commented
10 months ago Any plans from @msftgits to fix it?
nikolal
commented
8 months ago I will bump this again so it's not auto-closed since it's seems to me it is important to fix.
AnatolyPristensky
commented
7 months ago Hello, @gbashish12556, I see that the latest version of nimbus-jose-jwt is 9.37.3. Did you have a chance to try upgrade on this version?
DmitriyKirakosyan
commented
5 months ago It was fixed in the latest release (v8.2.2).
Steps to Reproduce We have got a security warning flagged by NowSecure, our mobile security scanner. The test looks in the decompiled code of the binary for instances of static strings being used as cryptographic seeds. It advised us that code in our app is using a hardcoded byte array as a seed value for encryption. It traced this hardcoded byte array to com.nimbusds:nimbus-jose-jwt:5.1, (see stack trace below) which we traced to this library
react-native-code-push/android/app/build.gradle
Line 30 in b9fb9fb
implementation 'com.nimbusds:nimbus-jose-jwt:5.1'
Expected Behavior When initializing encryption, do not use a hardcoded byte array as a seed value. Instead, consider using dynamic values such as SecureRandom in order to create a secure initialization of the cryptography. The Findings Evidence table provides the instances where a hardcoded value was used.
see Android Developer Guidance and Code Samples for Secure Cryptography https://developer.android.com/guide/topics/security/cryptography
A suggested fix might be to use a different library or encourage nimbus to change how they are seeding encryption.
Actual Behavior The application is using static values as seeds for encryption. This means that any attacker who sees those static seeds will be able to easily decrypt that data. If the data being encrypted is sensitive information, the attacker will be able to see and exploit the information.
STACK TRACE AND/OR SCREENSHOTS { "location": "Lcom/nimbusds/jose/crypto/AESGCMKW;,decryptCEK,(Ljavax/crypto/SecretKey;[BLcom/nimbusds/jose/crypto/AuthenticatedCipherText;ILjava/security/Provider;)Ljavax/crypto/SecretKey;", "hardcoded_value": "Lcom/nimbusds/jose/crypto/AESGCM;,decrypt,(Ljavax/crypto/SecretKey;[B[B[B[BLjava/security/Provider;)[B", "instance_type": "Ljavax/crypto/spec/SecretKeySpec;" }
Environment react-native-code-push version: 7.0.3 react-native version: 0.64.2 iOS/Android/Windows version: android 29 Does this reproduce on a debug build or release build?: release Does this reproduce on a simulator, or only on a physical device?: both (The more info the faster we will be able to address it!)