Veracode vulnerability issue.

[rkaartikeyan]

Thanks for the great library.

As part of publishing the app, we have scan the APK with veracode and found below issues. If these are taken care that will be helpful on security aspects.

1. CipherStorageBase.java

Description: Initialization vector being used here is not cryptographically strong for the underlying primitive's encryption output.

Remediation: Make sure its cryptographically generated using a good random number generator algorithm and seeded with OS generated entropy. Length of initialization vector should be same as the size of the underlying block on which the cipher works. For AES with GCM mode use a initialization vector of 96 bits, and for almost all other modes use 128 bits, for stream ciphers Salsa/ChaCha family initialization vector size should be 96 bits, and XSalsa and XChacha use 192 bits of vector size.

2. CipherStorageBase.java

Description: Initialization vector being used here is not cryptographically strong for the underlying primitive's encryption output.

Remediation: Make sure its cryptographically generated using a good random number generator algorithm and seeded with OS generated entropy. Length of initialization vector should be same as the size of the underlying block on which the cipher works. For AES with GCM mode use a initialization vector of 96 bits, and for almost all other modes use 128 bits, for stream ciphers Salsa/ChaCha family initialization vector size should be 96 bits, and XSalsa and XChacha use 192 bits of vector size.

[BraveEvidence]

This will help https://www.youtube.com/watch?v=J0OSn7s9YiA&list=PLQhQEGkwKZUrempLnmxjt7ZCZJu1W3p2i&index=15

[weyron2014]

We have the same issue and our app needs to pass the security review. Any updates?