NickalasB
commented
1 year ago Hi there @juliansteenbakker @jhancock4d. Just to build on this issue... our static analysis tools also threw out a warning about this.
It seems to not like this particular part of the code where Base64.decode and Base64.encodeToString are used.
I'm pasting the output of that warning + the recommendation from the tool. Thank you very much
AFFECTED CODE
Cryptographic secrets - encryption key, salt, or initialization vector(IV) used to encrypt passwords/data are hard-coded in the App's binary. Cryptographic secrets were identified in the following files:
Decompiled source code:
public h(android.content.Context p7, nd.a p8)
{
this.b = new java.security.SecureRandom();
String v0_2 = this.a();
Exception v7_9 = p7.getSharedPreferences(FlutterSecureKeyStorage, 0);
android.content.SharedPreferences$Editor v1_0 = v7_9.edit();
Exception v7_1 = v7_9.getString(v0_2, 0);
this.a = this.b();
if (v7_1 != null) {
try {
this.c = p8.b(android.util.Base64.decode(v7_1, 0), AES);
return;
} catch (Exception v7_4) {
android.util.Log.e(StorageCipher18Impl, unwrap key failed, v7_4);
}
}
Exception v7_6 = new byte[16];
this.b.nextBytes(v7_6);
String v4_3 = new javax.crypto.spec.SecretKeySpec(v7_6, AES);
this.c = v4_3;
v1_0.putString(v0_2, android.util.Base64.encodeToString(p8.a(v4_3), 0));
v1_0.apply();
return;
}A hard-coded value or a statically computed value is a value that is the same on every execution of your App. Statically computed cryptographic values can be extracted from your App and used to attack your App's encrypted data. Even if you manipulate keys, initialization vectors, and salts in complex ways before use, they remain unsafe if these manipulations are the same for every program execution.
As part of Google's App Security Improvement Program, Google Play has begun to warn Apps that are statically computing cryptographic values.
RECOMMENDATION Android JetPack's security library contains convenience methods to encrypt data and manage encryption keys securely. One such convenience method is EncryptedSharedPreferences, which can be used to securely store data without worrying about the implementation of secret keys, initialization vectors, and salts.
If your business logic doesn't permit you to use JetPack's security library Google recommends the following standards:
Secret Keys: Symmetric secret keys must be unpredictable and secret. For encrypting local data, developers should construct secret keys using cryptographically secure randomness (or from user-generated data, if using PBEKeySpecs) and store the secret keys using the AndroidKeystore.
Initialization Vectors: Initialization vectors must be unique and unpredictable across multiple messages but do not need to be secret. Developers should construct initialization vectors using cryptographically secure randomness. Developers should store or transmit the initialization vectors along with the associated ciphertext.
Salts: Salts must be unique and unpredictable across multiple hashes but do not need to be secret. Developers should construct salts using cryptographically secure randomness. Developers should store or transmit the salts along with the associated hashes.
jhancock4d
BraveEvidence
AnoopSinghAswal
GoldenSoju
juliansteenbakker
Hi... In my google play console showed me the next message:
Unsafe Encryption Your app contains unsafe cryptographic encryption patterns. Please see this Google Help Center article for details. g0.c.r.q.B
The package who use encryption in my project is Secure Storage, maybe someone identificate this problem?
Google play Console not say any more.