flutter_secure_storage icon indicating copy to clipboard operation
flutter_secure_storage copied to clipboard

Published 20 hours ago verified publisher icon mogol

Custom AES encryption key

Open subzero911 opened this issue 2 years ago • 5 comments

Is it possible to encrypt values with the custom AES key? I was wondering why it is encrypted "by itself" and does not require the user to enter some secret key. So I examined the source https://github.com/mogol/flutter_secure_storage/blob/develop/flutter_secure_storage/android/src/main/java/com/it_nomads/fluttersecurestorage/ciphers/StorageCipher18Implementation.java

...and found this 😱 image Then it's used to encrypt values: image

Looks like it is always encrypted with the same hardcoded key, moreover, which is publicly accessible! Seems not secure at all.

subzero911 avatar Feb 14 '23 08:02 subzero911

@subzero911 do you receive an answer to this? @mogol can you give some clarification?

marcotrumpet avatar Mar 15 '23 07:03 marcotrumpet

No, I didn't but it looks like a legacy code. I hadn't found that it is used anywhere.

subzero911 avatar Mar 15 '23 08:03 subzero911

The PerferenceKey is not the AES key. Instead it is used to fetch the encrypted key.

Btw I want to raise request to change the key size to 32 for AES-256.

tianli91 avatar Mar 15 '23 09:03 tianli91

This will help https://www.youtube.com/watch?v=JogvnnaJ8TI

BraveEvidence avatar Mar 15 '23 11:03 BraveEvidence

Was preferencesKeyPrefix implemented for solving above described issue ???

Den-creator avatar Mar 29 '24 14:03 Den-creator

The fix for this issue will be discussed in #769

juliansteenbakker avatar Aug 13 '24 20:08 juliansteenbakker