"Your app contains unsafe cryptographic encryption patterns" - How I can get rid of this warning?

Ask Question Asked 2 years, 2 months ago Active 2 years ago Viewed 5k times     edited Sep 19 '19 at 9:37     asked Sep 19 '19 at 2:29 Cheok Yan Cheng 48.1k122122 gold badges422422 silver badges796796 bronze badges

•   Did you find any solution.?  – Hemil Kumbhani  Sep 20 '19 at 6:40
•   Not really. I did not find any solution.  – Cheok Yan Cheng  Sep 20 '19 at 17:25
•   Is there a class in the resources with each part of the fully qualifying name starting with letters c then j then a and so on? For example: com.java.android.sample.Java...?  – Boris  Sep 24 '19 at 11:39 
•   Try to find the class that uses crypto like this question https://stackoverflow.com/questions/58026804/unsafe-cryptographic-encryption-patterns-how-to-solve-it, you will see that the KEY is unsafe cryptographic encryption. I resolved it by use Android NDK Native.  – Huo Chhunleng  Oct 3 '19 at 3:23 
• 1 I had the same issue and I didn't used any static key for encryption but the method was static and I changed it to normal class level method and it solved the issue  – AbuMaaiz  Nov 27 '19 at 5:42

Show 4 more comments ActiveOldestVotes https://developer.android.com/reference/androidx/security/crypto/EncryptedSharedPreferences

OR

Jetpack Security

For more details: Remediation for Unsafe Cryptographic Encryption

Share Improve this answer   answered Nov 5 '19 at 7:39 Vikram Kodag 33522 silver badges55 bronze badges

•   security-crypto library forcing to update min-sdk-version 26. Any solution for the lower version?  – Azay Gupta  Nov 6 '19 at 7:03

Add a comment   https://developer.android.com/jetpack/androidx/releases/security

Share Improve this answer   answered Sep 19 '19 at 4:49 Mahesh 3222 bronze badges

• 1 What if you need to decrypt some data that was previously encrypted with a former key?  – Roman Samoilenko  Sep 19 '19 at 5:36
•   For that you can use asymmetric cryptography. which encrypt data with different private key and on other end decrypt data with public key. This link may help you.  – Mahesh  Sep 19 '19 at 6:49 
• 2 How is it possible to have a single public key that can decrypt a message encrypted with a different private key? Aren't the keys generated as a standalone pair?  – Roman Samoilenko  Sep 19 '19 at 11:20 
•   I think, it's not related to original asked questions. Plz ask separate question. but you can get your questions answer from here.  – Mahesh  Sep 23 '19 at 7:39   https://stackoverflow.com/questions/58002913/your-app-contains-unsafe-cryptographic-encryption-patterns-how-i-can-get-rid     #########################################################################################################################################################      

  unsafe cryptographic encryption patterns , How to solve it? [duplicate]

  Ask Question Asked 2 years, 2 months ago Active 2 years, 2 months ago Viewed 2k times       edited Oct 1 '19 at 6:31     asked Sep 20 '19 at 10:41 Abdul Hanan 4377 bronze badges
  •   What password? The user's password???  – charles-allen  Sep 20 '19 at 11:41
  •   its email+salt  – Abdul Hanan  Sep 21 '19 at 11:32
  Add a comment ActiveOldestVotes Find Security Bugs you get CIPHER_INTEGRITY and HARD_CODE_KEY warning:

  The cipher does not provide data integrity [com.lloyds.keystorage.AESCrypt] At AESCrypt.java:[line 25] CIPHER_INTEGRITY
  The cipher does not provide data integrity [com.lloyds.keystorage.AESCrypt] At AESCrypt.java:[line 15] CIPHER_INTEGRITY
  Hard coded cryptographic key found [com.lloyds.keystorage.AESCrypt] At AESCrypt.java:[line 35] HARD_CODE_KEY
  

  The solution is to use a cipher that includes a Hash based Message Authentication Code (HMAC) to sign the data:

  Cipher cipher = Cipher.getInstance("AES/GCM/NoPadding");
  

  And to store the secret key in separate configuration files or keystores.

  Below is the whole class after a full refactoring:

  import android.util.Base64
  import static java.nio.charset.StandardCharsets.UTF_8;
  import java.security.Key;
  import javax.crypto.Cipher;
  import javax.crypto.spec.SecretKeySpec;
  
  public class AESCrypt {
    private static final String TRANSFORMATION = "AES/GCM/NoPadding";
  
    public static String encrypt(String value) throws Exception {
      Key key = generateKey();
      Cipher cipher = Cipher.getInstance(TRANSFORMATION);
      cipher.init(Cipher.ENCRYPT_MODE, key);
      byte[] encryptedByteValue = cipher.doFinal(value.getBytes(UTF_8));
      return Base64.encodeToString(encryptedByteValue, Base64.DEFAULT);
    }
  
    public static String decrypt(String value) throws Exception {
      Key key = generateKey();
      Cipher cipher = Cipher.getInstance(TRANSFORMATION);
      cipher.init(Cipher.DECRYPT_MODE, key);
      byte[] decryptedValue64 = Base64.decode(value, Base64.DEFAULT);
      byte[] decryptedByteValue = cipher.doFinal(decryptedValue64);
      return new String(decryptedByteValue, UTF_8);
    }
  
    private static Key generateKey() {
      return new SecretKeySpec(Configuration.getKey().getBytes(UTF_8), TRANSFORMATION);
    }
  }
  

  Share Improve this answer   edited Sep 23 '19 at 11:12     answered Sep 20 '19 at 11:58 Boris 17.9k1212 gold badges4242 silver badges6666 bronze badges
  •   But, java.util.Base64 requires API level 26. What's the reason of using java.util.Base64 or android.util.Base64?  – Cheok Yan Cheng  Sep 22 '19 at 22:32
  •   Also, what is the implementation of Configuration.getKey()? If it is always returning the same value for different devices, will Google flag warning again?  – Cheok Yan Cheng  Sep 22 '19 at 22:37
  •   @CheokYanCheng, can you share a link to the resource showing that you need the level 26 for a Java 8 class java.util.Base64?  – Boris  Sep 23 '19 at 10:51
  • 1 See developer.android.com/reference/java/util/Base64.Encoder (Added in API level 26)  – Cheok Yan Cheng  Sep 23 '19 at 10:58
  • 1 @Boris i remove hard code key now the warning gone thanks. :-)  – Abdul Hanan  Oct 10 '19 at 6:24
  Show 3 more comments  

  Not the answer you're looking for? Browse other questions tagged java android firebase-authentication or ask your own question.

  https://stackoverflow.com/questions/58026804/unsafe-cryptographic-encryption-patterns-how-to-solve-it