Security alert on our production app on google play console

[ashishdimi09]

Hi,

We are seeing a warning on our production app on google play console. The warning states:

Security alert
Your app contains unsafe cryptographic encryption patterns. Please see this Google Help Center article for details.
Vulnerable classes: com.xxx.xxx.android.AesCbcWithIntegrity
Affects APK version 10819.

The article the warning is referring to https://support.google.com/faqs/answer/9450925

Remediation
for Unsafe Cryptographic Encryption - Google HelpThis information is intended for developers with app(s) that contain unsafe cryptographic encryption patterns. That is, a ciphertext is generated with a statically computed secret key, salt, or initiasupport.google.com

Can someone help me to resolve this Security alert warning?

[SyntaxPolice]

This is an interesting error. We have not heard anyone else report this. Our library does not use static keys as you probably know. It possible that some of the backward compatibility code that we provide for older versions of Android are confusing the scanner. Or you may be using our library in such a way that you are using static keys. if you can share example code for how use the libraries we might be able to help you track it down.

…

On Thu, Oct 10, 2019, 10:35 PM ashishdimi09 ***@***.***> wrote: Hi, We are seeing a warning on our production app on google play console. The warning states: Security alert Your app contains unsafe cryptographic encryption patterns. Please see this Google Help Center article for details. Vulnerable classes: com.xxx.xxx.android.AesCbcWithIntegrity Affects APK version 10819. The article the warning is referring to https://support.google.com/faqs/answer/9450925 Remediation for Unsafe Cryptographic Encryption - Google HelpThis information is intended for developers with app(s) that contain unsafe cryptographic encryption patterns. That is, a ciphertext is generated with a statically computed secret key, salt, or initiasupport.google.com Can someone help me to resolve this Security alert warning? — You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub <#48?email_source=notifications&email_token=AAEJ4U7LUHBS4AADOOC5VZ3QOAGBBA5CNFSM4I7VIHOKYY3PNVWWK3TUL52HS4DFUVEXG43VMWVGG33NNVSW45C7NFSM4HRDSEIA>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/AAEJ4U6L5ZKBJPOTVER6TSLQOAGBBANCNFSM4I7VIHOA> .

[SyntaxPolice]

You can send me example code privately if you want. On Fri, Oct 11, 2019, 9:59 AM Isaac Potoczny-Jones <ijones@syntaxpolice.org> wrote:

…

This is an interesting error. We have not heard anyone else report this. Our library does not use static keys as you probably know. It possible that some of the backward compatibility code that we provide for older versions of Android are confusing the scanner. Or you may be using our library in such a way that you are using static keys. if you can share example code for how use the libraries we might be able to help you track it down. On Thu, Oct 10, 2019, 10:35 PM ashishdimi09 ***@***.***> wrote: > Hi, > > We are seeing a warning on our production app on google play console. The > warning states: > > Security alert > Your app contains unsafe cryptographic encryption patterns. Please see > this Google Help Center article for details. > Vulnerable classes: com.xxx.xxx.android.AesCbcWithIntegrity > Affects APK version 10819. > > The article the warning is referring to > https://support.google.com/faqs/answer/9450925 > > Remediation > for Unsafe Cryptographic Encryption - Google HelpThis information is > intended for developers with app(s) that contain unsafe cryptographic > encryption patterns. That is, a ciphertext is generated with a statically > computed secret key, salt, or initiasupport.google.com > > Can someone help me to resolve this Security alert warning? > > — > You are receiving this because you are subscribed to this thread. > Reply to this email directly, view it on GitHub > <#48?email_source=notifications&email_token=AAEJ4U7LUHBS4AADOOC5VZ3QOAGBBA5CNFSM4I7VIHOKYY3PNVWWK3TUL52HS4DFUVEXG43VMWVGG33NNVSW45C7NFSM4HRDSEIA>, > or unsubscribe > <https://github.com/notifications/unsubscribe-auth/AAEJ4U6L5ZKBJPOTVER6TSLQOAGBBANCNFSM4I7VIHOA> > . >

[SyntaxPolice]

Working directly with reporter in private email to examine use of Tozny's library.

Based on my review of the reporter's code, I see a hard-coded password sent through several layers of constructors, eventually into the code that generates a key from a password. I also see a hard-coded salt instead of our random salt generator. Will confirm with reporter. If this is the case, it indicates an error in the use of the library, not an error in the library.

I updated the readme with more specific examples.

[SyntaxPolice]

Since I haven't heard back from the reporter, and this looks like a but in their application, I'm going to close this report. If you have further issues, or you think it's a bug in the Tozny library, please re-open. Thanks!

[GiaGioi99]

@SyntaxPolice hi, We were having a similar problem, but we tried to search for the class that google warning sent us but it didn't. I wonder if you can help us.

[SyntaxPolice]

Are you using our AES library? Look for the part of the code where you create the encryption keys. If it has a fixed password then that's the problem.

…

On Sat, May 9, 2020, 7:32 AM GiaGioi99 ***@***.***> wrote: @SyntaxPolice <https://github.com/SyntaxPolice> hi, We were having a similar problem, but we tried to search for the class that google warning sent us but it didn't. I wonder if you can help us. [image: image] <https://user-images.githubusercontent.com/60766646/81476506-7b25f680-923c-11ea-8acc-ce135959f670.png> — You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub <#48 (comment)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/AAEJ4U64XW5Q54TIL3XVEADRQVSOFANCNFSM4I7VIHOA> .