Cryptographic Standard Algorithms Security vulnerability spotted in FileEncryptionUtilKT.kt #299
Description
Spotted this during a routine penetration testing exercise
Mobile apps should not use cryptographic algorithms and protocols that have significant known weaknesses or are otherwise insufficient for modern security requirements. Algorithms that were considered secure in the past may become insecure over time; therefore, it's important to periodically check current best practices and adjust configurations accordingly.
These tests include verification that cryptographic algorithms are up to date and in-line with industry standards. Vulnerable algorithms include outdated block ciphers (such as DES and 3DES), stream ciphers (such as RC4), hash functions (such as MD5 and SHA1), and broken random number generators (such as Dual_EC_DRBG and SHA1PRNG).
Note that even algorithms that are certified (for example, by NIST) can become insecure over time.
Algorithms with known weaknesses should be replaced with more secure alternatives.
Outlined instances of cryptographic algorithms that are known to be weak, such as:
• DES, 3DES
• RC2
• RC4
• BLOWFISH • MD4
• MD5
• SHA1
Upon inspection we identified the following usage of outdated cryptographic algorithms in the following code parts:
@Throws(NoSuchAlgorithmException::class)
private fun randomIv(): ByteArray {
val randomIv = ByteArray(IV_SIZE_BYTES)
SecureRandom.getInstance("SHA1PRNG").nextBytes(randomIv)
return randomIv
}
Using only algorithms suggested by BSI; see the following resource for details: https://www.keylength.com/en/8/