flutter_secure_storage icon indicating copy to clipboard operation
flutter_secure_storage copied to clipboard

Published 20 hours ago verified publisher icon mogol

High attention point related to "Padding Oracle", reported by MobSF, when using encryption mode, "AES/CBC/PKCS7Padding", in class "StorageCipher18Implementation.java".

Open kaganzdmr58 opened this issue 1 year ago • 4 comments

When I analyzed the project with mobsf, it said that it found a high priority error. When I followed the error, I discovered that an old method was used in the library, can you help me to fix the error?

const AndroidOptions( encryptedSharedPreferences: true, storageCipherAlgorithm: StorageCipherAlgorithm.AES_GCM_NoPadding );

I tried this but my problem still persists, i get this error from MobSf "The App uses the encryption mode CBC with PKCS5/PKCS7 padding. This configuration is vulnerable to padding oracle attacks."

kaganzdmr58 avatar May 02 '23 10:05 kaganzdmr58

Error page

com/it_nomads/fluttersecurestorage/ciphers/StorageCipher18Implementation.java

StorageCipher18Implementation.java protected Cipher getCipher() throws Exception { return Cipher.getInstance("AES/CBC/PKCS7Padding"); }

STANDARTS CWE: CWE-649: Reliance on Obfuscation or Encryption of Security-Relevant Inputs without Integrity Checking OWASP Top 10: M5: Insufficient Cryptography OWASP MASVS: MSTG-CRYPTO-3

kaganzdmr58 avatar May 02 '23 10:05 kaganzdmr58

I have the same issue when scan app via Qualys

nhan7777 avatar Jun 21 '23 06:06 nhan7777

I'm also having this issue. Is there any workaround for this problem?

abirajabi avatar Jul 24 '23 06:07 abirajabi

Possible duplicate of #526?

ernestomar avatar Aug 15 '23 14:08 ernestomar

The fix of this issue will be discussed in #769

juliansteenbakker avatar Aug 13 '24 20:08 juliansteenbakker