android-secure-preferences icon indicating copy to clipboard operation
android-secure-preferences copied to clipboard

Published 20 hours ago verified publisher icon kovmarci86

Grave security issues with the used encryption setup

Open patrickfav opened this issue 7 years ago • 0 comments

Hi,

You state your code derives it's basic encryption logic from: http://www.java2s.com/Code/Android/Security/AESEncryption.htm (see: https://github.com/kovmarci86/android-secure-preferences/blob/master/secure-preferences/src/main/java/edu/gmu/tec/scout/utilities/Encryption.java)

This example has grave security issues, among others:

  • Silently uses the same key if none is provided
  • Uses ECB mode wich is utterly insecure if the encrypted data is longer than 16 byte
  • Uses broken MD5 hash to derive secret key from password

As I can see you avoid the first point, but still the other points are grave enough to make the whole scheme very unsecure.

patrickfav avatar Nov 12 '18 13:11 patrickfav