search

mogol / flutter_secure_storage

A Flutter plugin to store data in secure storage
https://pub.dartlang.org/packages/flutter_secure_storage
BSD 3-Clause "New" or "Revised" License
1.12k stars 368 forks source link

Custom AES encryption key #522

Closed subzero911 closed 1 month ago

subzero911 commented 1 year ago

Is it possible to encrypt values with the custom AES key? I was wondering why it is encrypted "by itself" and does not require the user to enter some secret key. So I examined the source https://github.com/mogol/flutter_secure_storage/blob/develop/flutter_secure_storage/android/src/main/java/com/it_nomads/fluttersecurestorage/ciphers/StorageCipher18Implementation.java

...and found this 😱

image

Then it's used to encrypt values:

image

Looks like it is always encrypted with the same hardcoded key, moreover, which is publicly accessible! Seems not secure at all.

marcotrumpet commented 1 year ago

@subzero911 do you receive an answer to this? @mogol can you give some clarification?

subzero911 commented 1 year ago

No, I didn't but it looks like a legacy code. I hadn't found that it is used anywhere.

tianli91 commented 1 year ago

The PerferenceKey is not the AES key. Instead it is used to fetch the encrypted key.

Btw I want to raise request to change the key size to 32 for AES-256.

BraveEvidence commented 1 year ago

This will help https://www.youtube.com/watch?v=JogvnnaJ8TI

Den-creator commented 6 months ago

Was preferencesKeyPrefix implemented for solving above described issue ???

juliansteenbakker commented 1 month ago

The fix for this issue will be discussed in #769