Secure-Pref-Manager
Secure-Pref-Manager copied to clipboard
Potential vulnerability: using blank/default initialization vector
Hi,
by looking at the code of this library, I noticed that it depends on this encryption library https://github.com/scottyab/AESCrypt-Android
Also, I noticed that your encrypt method is using a default/blank initialization vector, which is known to be vulnerable to ciphertext-only attacks (a great discussion on the topic can be found here http://security.stackexchange.com/questions/35210/encrypting-using-aes-256-do-i-need-iv/35216#35216). This vulnerability is also reported on the github page of the dependency.
I recommend to promptly fix this weakness by generating a random initialization vector before performing encryption.
Thanks