Closed MrArtichaut closed 8 years ago
Hey @MrArtichaut thanks for your comment, but aren't you talking about https://github.com/scottyab/AESCrypt-Android? This secure-preferences lib has not dependancy or shared code. Maybe the confusion is because I'm author/maintainer of both?
I'm closing this issue not because you comment is invalid far from it, it's just not for this secure-preferences library.
For the record as mentioned in the readme for AESCrypt-Android is was built to be compatible with AESCrypt library Ruby and AESCrypt-ObjC and that the defaults are not the best security. If you feel this should be more prominent then please so raise an issue or even better a PR over at https://github.com/scottyab/AESCrypt-Android
AESCrypt-Android is a completly insecured cryptography library!
It uses a simple SHA256 in order derivate a key from a password with no salt. That basically useless. => Please consider using at least PBKDF2 with a good salt and sufficient number of iterations. => Read https://www.nccgroup.trust/us/about-us/newsroom-and-events/blog/2015/march/enough-with-the-salts-updates-on-secure-password-schemes/
It doesn't provide authenticated encryption and so doesn't provide integrity an authentication checks. => Please consider using something like Keyczar => Read http://tonyarcieri.com/all-the-crypto-code-youve-ever-written-is-probably-broken
It provides a "convenient" encrypt/decrypt method that uses a fixed salt. That's awful.
Please don't use this library.