Secured-Preference-Store icon indicating copy to clipboard operation
Secured-Preference-Store copied to clipboard
verified publisher icon iamMehedi

Insecure use of (Insecure cipher mode: ECB) in EncryptionManager.java

Open A-Amyan opened this issue 5 months ago • 0 comments

We are a German research group investigating the misuse of cryptographic APIs. We found vulnerabilities in EncryptionManager.java at lines {911, 923}, which can lead to an attack (e.g., Codebook attack (plaintext pattern analysis), Block replay/cut-and-paste attack). This is our result:

    "explanation": "Direct call to Cipher.getInstance in RSAEncrypt to obtain a Cipher instance for RSA encryption using the AndroidOpenSSL provider.",
    "cryptographicObjectType": "Cipher (RSA Encryption)",
    "codeSnippet": "byte[] RSAEncrypt(byte[] bytes) throws KeyStoreException, UnrecoverableEntryException, NoSuchAlgorithmException, NoSuchProviderException, NoSuchPaddingException, InvalidKeyException, IOException {\n    Cipher cipher = Cipher.getInstance(RSA_CIPHER, SSL_PROVIDER);\n    cipher.init(Cipher.ENCRYPT_MODE, publicKey);\n\n    ByteArrayOutputStream outputStream = new ByteArrayOutputStream();\n    CipherOutputStream cipherOutputStream = new CipherOutputStream(outputStream, cipher);\n    cipherOutputStream.write(bytes);\n    cipherOutputStream.close();\n\n    return outputStream.toByteArray();\n}",
    "vulnerabilityType": "Insecure",
    "correction": "Avoid using ECB mode since it is insecure. Use a secure cipher mode such as CBC (with a randomized IV) or GCM instead.",

A-Amyan avatar Jul 09 '25 11:07 A-Amyan