Security issues
mr-africa opened this issue · 3 comments
Helo!
My company bought a security audit subscription to scan our mobile app. It found 3 problems in react-native-sensitive-info library. Probably it false-positive, but could you check it please.
I Use 5.5.8 version
Use of Potentially Dangerous Function
Description: Applications that use the FingerprintManager API to authenticate can be vulnerable to an authentication bypass attack, in which a user is tricked (by a separate mobile app or web page) into using their fingerprint to authenticate to the app under false pretenses. Some Android versions provide some mitigation against forms of this attack, but older versions do not.
Remediation: Instead of using the FingerprintManager API, use the safer BiometricPrompt or androidx.biometric libraries.
Affected files:
- RNSensitiveInfoModule.java: 488
- RNSensitiveInfoModule.java: 374
Use of a Broken or Risky Cryptographic Algorithm
Description: Initialization vector being used here is not cryptographically strong for the underlying primitive's encryption output.
Remediation: Make sure its cryptographically generated using a good random number generator algorithm and seeded with OS generated entropy. Length of initialization vector should be same as the size of the underlying block on which the cipher works. For AES with GCM mode use a initialization vector of 96 bits, and for almost all other modes use 128 bits, for stream ciphers Salsa/ChaCha family initialization vector size should be 96 bits, and XSalsa and XChacha use 192 bits of vector size.
Affected files:
- RNSensitiveInfoModule.java: 455
hello, any news on this?
This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.
Hello, Facing the same problem, any update