search

scottyab / secure-preferences

Android Shared preference wrapper than encrypts the values of Shared Preferences. It's not bullet proof security but rather a quick win for incrementally making your android app more secure.
1.53k stars 235 forks source link

SecureException in AesCbcWithIntegrity:installLinuxPRNGSecureRandom #31

Closed smred closed 9 years ago

smred commented 9 years ago

Hi, last release of library crash on HUAWEI G630 U10 with Android 4.3.

Caused by java.lang.SecurityException com.tozny.crypto.android.AesCbcWithIntegrity$PrngFixes.installLinuxPRNGSecureRandom (AesCbcWithIntegrity.java:764) com.tozny.crypto.android.AesCbcWithIntegrity$PrngFixes.apply (AesCbcWithIntegrity.java:684) com.tozny.crypto.android.AesCbcWithIntegrity.fixPrng (AesCbcWithIntegrity.java:347) com.tozny.crypto.android.AesCbcWithIntegrity.generateKeyFromPassword (AesCbcWithIntegrity.java:184) com.tozny.crypto.android.AesCbcWithIntegrity.generateKeyFromPassword (AesCbcWithIntegrity.java:234) com.tozny.crypto.android.AesCbcWithIntegrity.generateKeyFromPassword (AesCbcWithIntegrity.java:219) com.securepreferences.SecurePreferences. (SecurePreferences.java:145) com.securepreferences.SecurePreferences. (SecurePreferences.java:92)

cyberrob-zz commented 9 years ago

I got the same problem only when I running a apk with minifyEnabled is true:

Caused by: java.lang.SecurityException: new SecureRandom() backed by wrong Provider: class com.tozny.crypto.android.AesCbcWithIntegrity$PrngFixes$LinuxPRNGSecureRandomProvider
at com.tozny.crypto.android.AesCbcWithIntegrity$PrngFixes.d(Unknown Source)
at com.tozny.crypto.android.AesCbcWithIntegrity$PrngFixes.a(Unknown Source)
at com.tozny.crypto.android.AesCbcWithIntegrity.c(Unknown Source)
at com.tozny.crypto.android.AesCbcWithIntegrity.a(Unknown Source)
at com.tozny.crypto.android.AesCbcWithIntegrity.a(Unknown Source)

in the proguard config I add:

-keep class com.tozny.crypto.android.AesCbcWithIntegrity$PrngFixes$* { *; }

running on Genymotion Android Emulator 4.2.2

Is this related to https://github.com/tozny/java-aes-crypto/issues/13 or this post ?

cyberrob-zz commented 9 years ago

I've tested all versions from Android 4.1.1, 4.2.2, 4.3 (Genymotion Emulator) They all crashed.

However if change the version of secure-preference from 1.0.3 to 1.0.2,it all worked!

This might not completely solve the problem but it could help for now.

scottyab commented 9 years ago

Thanks Robert, I'll take a look today

On Tue, 13 Oct 2015 07:54 Robert Wang notifications@github.com wrote:

I've tested all versions from 4.1.1, 4.2.2, 4.3 (Genymotion Emulator) They all crashed.

However I change the version of secure-preference from 1.0.3 to 1.0.2,it all worked!

This might not completely solve the problem but it could help for now.

— Reply to this email directly or view it on GitHub https://github.com/scottyab/secure-preferences/issues/31#issuecomment-147624003 .

scottyab commented 9 years ago

The PrngFixes class is doing several equals checks on class names i.e getProvider().getClass().getSimpleName().equals("LinuxPRNGSecureRandomProvider") but this was failing due to the obfuscation. Even when using -keep on the two inner classes of PrngFixes ( LinuxPRNGSecureRandomProvider and LinuxPRNGSecureRandom) still the equals wasn't satisfied.

I changed the equals check to use LinuxPRNGSecureRandomProvider.class.getSimpleName() rather than "LinuxPRNGSecureRandomProvider". This way it doesn't matter if proguard (or whatever) changes the class name.

Tested on devices and genymotion.

I'll add the fixed the java-aes-crypto lib (my fork) it'll be in version 'com.scottyab:aes-crypto:0.0.4' and I'll PR to the original.

scottyab commented 9 years ago

Fixed in v0.1.4 of Secure-preferences

fernandospr commented 8 years ago

This is not fixed in v0.1.4. Please, reopen. I still see the exception:

Caused by java.lang.SecurityException: new SecureRandom() backed by wrong Provider: class org.apache.harmony.security.provider.crypto.CryptoProvider
       at com.tozny.crypto.android.AesCbcWithIntegrity$PrngFixes.installLinuxPRNGSecureRandom(AesCbcWithIntegrity.java:767)

GT-I8190L Android 4.1.2

ankitgoyal1009 commented 8 years ago

I can still see the issue. Interesting thing is it is happening to my users but none of my test devices has this issue.

0w60 commented 8 years ago

Still crashes on 4.1.1

Fatal Exception: java.lang.RuntimeException
Unable to create application: java.lang.SecurityException: SecureRandom.getInstance("SHA1PRNG") backed by wrong Provider: class org.apache.harmony.security.provider.crypto.CryptoProvider
bmacedo commented 7 years ago

Is there any solution available for this? I get this crash as well on a Samsung 4.1.2 device.

gilshallem commented 4 years ago

Still happening

Runining this code: SecurePreferences.Editor prefs = new SecurePreferences(mContext).edit();

Gives this error:

Fatal Exception: java.lang.SecurityException: new SecureRandom() backed by wrong Provider: class org.apache.harmony.security.provider.crypto.CryptoProvider at com.tozny.crypto.android.AesCbcWithIntegrity$PrngFixes.installLinuxPRNGSecureRandom(AesCbcWithIntegrity.java:764) at com.tozny.crypto.android.AesCbcWithIntegrity$PrngFixes.apply(AesCbcWithIntegrity.java:680) at com.tozny.crypto.android.AesCbcWithIntegrity.fixPrng(AesCbcWithIntegrity.java:347) at com.tozny.crypto.android.AesCbcWithIntegrity.generateKeyFromPassword(AesCbcWithIntegrity.java:184) at com.securepreferences.SecurePreferences.generateAesKeyName(SecurePreferences.java:228) at com.securepreferences.SecurePreferences.(SecurePreferences.java:149) at com.securepreferences.SecurePreferences.(SecurePreferences.java:134) at com.securepreferences.SecurePreferences.(SecurePreferences.java:107) at com.securepreferences.SecurePreferences.(SecurePreferences.java:82)

Device Info: image

API: com.scottyab:secure-preferences-lib:0.1.7