Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Google Play Unsafe Encryption #512

Closed
RicharC293 opened this issue Jan 24, 2023 · 7 comments
Closed

Google Play Unsafe Encryption #512

RicharC293 opened this issue Jan 24, 2023 · 7 comments

Comments

@RicharC293
Copy link

Hi...
In my google play console showed me the next message:

Unsafe Encryption
Your app contains unsafe cryptographic encryption patterns. Please see this Google Help Center article for details.
g0.c.r.q.B

The package who use encryption in my project is Secure Storage, maybe someone identificate this problem?

Google play Console not say any more.
@NickalasB
Copy link

Hi there @juliansteenbakker @jhancock4d. Just to build on this issue... our static analysis tools also threw out a warning about this.

It seems to not like this particular part of the code where Base64.decode and Base64.encodeToString are used.

I'm pasting the output of that warning + the recommendation from the tool. Thank you very much

AFFECTED CODE

Cryptographic secrets - encryption key, salt, or initialization vector(IV) used to encrypt passwords/data are hard-coded in the App's binary. Cryptographic secrets were identified in the following files:


Decompiled source code:


    public h(android.content.Context p7, nd.a p8)
    {
        this.b = new java.security.SecureRandom();
        String v0_2 = this.a();
        Exception v7_9 = p7.getSharedPreferences(FlutterSecureKeyStorage, 0);
        android.content.SharedPreferences$Editor v1_0 = v7_9.edit();
        Exception v7_1 = v7_9.getString(v0_2, 0);
        this.a = this.b();
        if (v7_1 != null) {
            try {
                this.c = p8.b(android.util.Base64.decode(v7_1, 0), AES);
                return;
            } catch (Exception v7_4) {
                android.util.Log.e(StorageCipher18Impl, unwrap key failed, v7_4);
            }
        }
        Exception v7_6 = new byte[16];
        this.b.nextBytes(v7_6);
        String v4_3 = new javax.crypto.spec.SecretKeySpec(v7_6, AES);
        this.c = v4_3;
        v1_0.putString(v0_2, android.util.Base64.encodeToString(p8.a(v4_3), 0));
        v1_0.apply();
        return;
    }

A hard-coded value or a statically computed value is a value that is the same on every execution of your App. Statically computed cryptographic values can be extracted from your App and used to attack your App's encrypted data. Even if you manipulate keys, initialization vectors, and salts in complex ways before use, they remain unsafe if these manipulations are the same for every program execution.

As part of Google's App Security Improvement Program, Google Play has begun to warn Apps that are statically computing cryptographic values.

RECOMMENDATION
Android JetPack's security library contains convenience methods to encrypt data and manage encryption keys securely. One such convenience method is EncryptedSharedPreferences, which can be used to securely store data without worrying about the implementation of secret keys, initialization vectors, and salts.

If your business logic doesn't permit you to use JetPack's security library Google recommends the following standards:

Secret Keys: Symmetric secret keys must be unpredictable and secret. For encrypting local data, developers should construct secret keys using cryptographically secure randomness (or from user-generated data, if using PBEKeySpecs) and store the secret keys using the AndroidKeystore.

Initialization Vectors: Initialization vectors must be unique and unpredictable across multiple messages but do not need to be secret. Developers should construct initialization vectors using cryptographically secure randomness. Developers should store or transmit the initialization vectors along with the associated ciphertext.

Salts: Salts must be unique and unpredictable across multiple hashes but do not need to be secret. Developers should construct salts using cryptographically secure randomness. Developers should store or transmit the salts along with the associated hashes.

@jhancock4d
Copy link
Contributor

That looks like Android code and not web correct?

@NickalasB
Copy link

That looks like Android code and not web correct?

Correct. Android code..

@BraveEvidence
Copy link

This will help https://www.youtube.com/watch?v=JogvnnaJ8TI

@AnoopSinghAswal
Copy link

Have you resolved this issue. i am also facing the same?

@GoldenSoju
Copy link

GoldenSoju commented May 30, 2023
edited
Loading

I suddenly got this warning (and a Implicit PendingIntent Vulnerability warning) last week after uploading a new version to the play store. I uploaded a new version at the beginning of May, with Flutter 3.7.* and there were no warnings. Now last week's version had Flutter 3.10.*, so I thought it was related to the Flutter version. But that does not seem to be the case?
Unfortunately these code infos (bjqm.c (in dynamically loaded code)) don't help at all.

In the RevenueCat community someone mentions that those errors disappeared after uploading a new bundle without changes...haven't tried that yet though.

@juliansteenbakker juliansteenbakker mentioned this issue Aug 13, 2024
Open
@juliansteenbakker
Copy link
Owner

The fix for this issue will be discussed in #769

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
7 participants
@NickalasB @juliansteenbakker @BraveEvidence @GoldenSoju @jhancock4d @RicharC293 @AnoopSinghAswal