Potentially Use non-random initialization vector (IV)

Description

Use of a non-random initialization vector makes the application vulnerable to dictionary attacks.

The following example demonstrates improper settings of hardcoded static IV:

public class InsecureExample {
    @Override
    public void run() throws Exception{
        byte[] IV = "0123456789abcdef".getBytes();
        String clearText = "Jan van Eyck was here 1434";
        String key = "ThisIs128bitSize";
        SecretKeySpec skeySpec = new SecretKeySpec(key.getBytes(), "AES");
        Cipher cipher = Cipher.getInstance("AES/CBC/PKCS5Padding");
        cipher.init(Cipher.ENCRYPT_MODE, skeySpec, new IvParameterSpec(IV));
        byte[] encryptedMessage = cipher.doFinal(clearText.getBytes());
        Log.i(TAG, String.format("Message: %s", Base64.encodeToString(encryptedMessage, Base64.DEFAULT)));
    }
}

Recommendation

Properly initialize the IV with a secure random value

Technical details
[TAINT] Const '0' ==>>> Sink '['Ljavax/crypto/spec/IvParameterSpec;', '<init>', '([B)V', '0', 'CRYPTO_SINK']' [[('Lcom/paysys/nbpdigital/d/a;', 'a', '(I)Ljavax/crypto/Cipher;'), ('Ljavax/crypto/spec/IvParameterSpec;', '<init>', '([B)V')]]

The application uses a hardcoded initialization vector (IV) to encrypt the data

Method com.paysys.nbpdigital.d.a.a():


    private javax.crypto.Cipher a(int p7)
    {
        String v0_1 = javax.crypto.Cipher.getInstance("AES/CBC/PKCS7Padding");
        java.security.Key v1_1 = this.d.getKey("MY_APP_ALIAS", 0);
        if (v1_1 != null) {
            if (p7 != 1) {
                v0_1.init(p7, v1_1, new javax.crypto.spec.IvParameterSpec(this.h()));
            } else {
                this.i();
                String v2_2 = this.i().edit();
                v2_2.remove("ENCRYPTED_PASS_SHARED_PREF_KEY");
                v2_2.remove("LAST_USED_IV_SHARED_PREF_KEY");
                v2_2.apply();
                this.d.deleteEntry("MY_APP_ALIAS");
                this.f();
                try {
                    v0_1.init(p7, v1_1);
                } catch (String v2_4) {
                    StringBuilder v4_1 = new StringBuilder();
                    v4_1.append("Encryption error =");
                    v4_1.append(v2_4);
                    android.util.Log.d("fingerPrint", v4_1.toString());
                }
                v0_1.init(p7, v1_1);
                this.b(v0_1.getIV());
            }
            return v0_1;
        } else {
            this.f();
            android.util.Log.d("fingerPrint", "keystore = null");
            return 0;
        }
    }

Method javax.crypto.spec.IvParameterSpec.<init>() not found.

[TAINT] Const '0' ==>>> Sink '['Ljavax/crypto/spec/IvParameterSpec;', '<init>', '([B)V', '0', 'CRYPTO_SINK']' [[('Lcom/paysys/nbpdigital/d/a;', 'a', '(Landroid/os/CancellationSignal; Lcom/paysys/nbpdigital/d/a$b; I)V'), ('Lcom/paysys/nbpdigital/d/a;', 'a', '(I)Ljavax/crypto/Cipher;'), ('Ljavax/crypto/spec/IvParameterSpec;', '<init>', '([B)V')]]

The application uses a hardcoded initialization vector (IV) to encrypt the data

Method com.paysys.nbpdigital.d.a.a():


    private void a(android.os.CancellationSignal p7, com.paysys.nbpdigital.d.a$b p8, int p9)
    {
        try {
            if (!this.j()) {
                p8.a().onFailure("User hasn\'t granted permission to use Fingerprint");
            } else {
                this.b.authenticate(new android.hardware.fingerprint.FingerprintManager$CryptoObject(this.a(p9)), p7, 0, p8, 0);
            }
        } catch (com.paysys.nbpdigital.d.a$a v7_1) {
            com.paysys.nbpdigital.d.a$a v8_1 = p8.a();
            String v9_2 = new StringBuilder();
            v9_2.append("An error occurred: ");
            v9_2.append(v7_1.getMessage());
            v8_1.onFailure(v9_2.toString());
        }
        return;
    }

Method com.paysys.nbpdigital.d.a.a():


    private javax.crypto.Cipher a(int p7)
    {
        String v0_1 = javax.crypto.Cipher.getInstance("AES/CBC/PKCS7Padding");
        java.security.Key v1_1 = this.d.getKey("MY_APP_ALIAS", 0);
        if (v1_1 != null) {
            if (p7 != 1) {
                v0_1.init(p7, v1_1, new javax.crypto.spec.IvParameterSpec(this.h()));
            } else {
                this.i();
                String v2_2 = this.i().edit();
                v2_2.remove("ENCRYPTED_PASS_SHARED_PREF_KEY");
                v2_2.remove("LAST_USED_IV_SHARED_PREF_KEY");
                v2_2.apply();
                this.d.deleteEntry("MY_APP_ALIAS");
                this.f();
                try {
                    v0_1.init(p7, v1_1);
                } catch (String v2_4) {
                    StringBuilder v4_1 = new StringBuilder();
                    v4_1.append("Encryption error =");
                    v4_1.append(v2_4);
                    android.util.Log.d("fingerPrint", v4_1.toString());
                }
                v0_1.init(p7, v1_1);
                this.b(v0_1.getIV());
            }
            return v0_1;
        } else {
            this.f();
            android.util.Log.d("fingerPrint", "keystore = null");
            return 0;
        }
    }

Method javax.crypto.spec.IvParameterSpec.<init>() not found.

[TAINT] Const '0' ==>>> Sink '['Ljavax/crypto/spec/IvParameterSpec;', '<init>', '([B)V', '0', 'CRYPTO_SINK']' [[('Lcom/paysys/nbpdigital/d/a;', 'a', '(Landroid/os/CancellationSignal; Lcom/paysys/nbpdigital/d/a$a;)V'), ('Lcom/paysys/nbpdigital/d/a;', 'a', '(Landroid/os/CancellationSignal; Lcom/paysys/nbpdigital/d/a$b; I)V'), ('Lcom/paysys/nbpdigital/d/a;', 'a', '(I)Ljavax/crypto/Cipher;'), ('Ljavax/crypto/spec/IvParameterSpec;', '<init>', '([B)V')]]

The application uses a hardcoded initialization vector (IV) to encrypt the data

Method com.paysys.nbpdigital.d.a.a():


    public void a(android.os.CancellationSignal p2, com.paysys.nbpdigital.d.a$a p3)
    {
        this.a(p2, new com.paysys.nbpdigital.d.a$c(this, p3), 2);
        return;
    }

Method com.paysys.nbpdigital.d.a.a():


    private void a(android.os.CancellationSignal p7, com.paysys.nbpdigital.d.a$b p8, int p9)
    {
        try {
            if (!this.j()) {
                p8.a().onFailure("User hasn\'t granted permission to use Fingerprint");
            } else {
                this.b.authenticate(new android.hardware.fingerprint.FingerprintManager$CryptoObject(this.a(p9)), p7, 0, p8, 0);
            }
        } catch (com.paysys.nbpdigital.d.a$a v7_1) {
            com.paysys.nbpdigital.d.a$a v8_1 = p8.a();
            String v9_2 = new StringBuilder();
            v9_2.append("An error occurred: ");
            v9_2.append(v7_1.getMessage());
            v8_1.onFailure(v9_2.toString());
        }
        return;
    }

Method com.paysys.nbpdigital.d.a.a():


    private javax.crypto.Cipher a(int p7)
    {
        String v0_1 = javax.crypto.Cipher.getInstance("AES/CBC/PKCS7Padding");
        java.security.Key v1_1 = this.d.getKey("MY_APP_ALIAS", 0);
        if (v1_1 != null) {
            if (p7 != 1) {
                v0_1.init(p7, v1_1, new javax.crypto.spec.IvParameterSpec(this.h()));
            } else {
                this.i();
                String v2_2 = this.i().edit();
                v2_2.remove("ENCRYPTED_PASS_SHARED_PREF_KEY");
                v2_2.remove("LAST_USED_IV_SHARED_PREF_KEY");
                v2_2.apply();
                this.d.deleteEntry("MY_APP_ALIAS");
                this.f();
                try {
                    v0_1.init(p7, v1_1);
                } catch (String v2_4) {
                    StringBuilder v4_1 = new StringBuilder();
                    v4_1.append("Encryption error =");
                    v4_1.append(v2_4);
                    android.util.Log.d("fingerPrint", v4_1.toString());
                }
                v0_1.init(p7, v1_1);
                this.b(v0_1.getIV());
            }
            return v0_1;
        } else {
            this.f();
            android.util.Log.d("fingerPrint", "keystore = null");
            return 0;
        }
    }

Method javax.crypto.spec.IvParameterSpec.<init>() not found.

[TAINT] Const '0' ==>>> Sink '['Ljavax/crypto/spec/IvParameterSpec;', '<init>', '([B)V', '0', 'CRYPTO_SINK']' [[('Lcom/paysys/nbpdigital/d/a;', 'a', '(Ljava/lang/String; Landroid/os/CancellationSignal; Lcom/paysys/nbpdigital/d/a$a;)V'), ('Lcom/paysys/nbpdigital/d/a;', 'a', '(Landroid/os/CancellationSignal; Lcom/paysys/nbpdigital/d/a$b; I)V'), ('Lcom/paysys/nbpdigital/d/a;', 'a', '(I)Ljavax/crypto/Cipher;'), ('Ljavax/crypto/spec/IvParameterSpec;', '<init>', '([B)V')]]

The application uses a hardcoded initialization vector (IV) to encrypt the data

Method com.paysys.nbpdigital.d.a.a():


    public void a(String p2, android.os.CancellationSignal p3, com.paysys.nbpdigital.d.a$a p4)
    {
        this.a(p3, new com.paysys.nbpdigital.d.a$d(this, p4, p2), 1);
        return;
    }

Method com.paysys.nbpdigital.d.a.a():


    private void a(android.os.CancellationSignal p7, com.paysys.nbpdigital.d.a$b p8, int p9)
    {
        try {
            if (!this.j()) {
                p8.a().onFailure("User hasn\'t granted permission to use Fingerprint");
            } else {
                this.b.authenticate(new android.hardware.fingerprint.FingerprintManager$CryptoObject(this.a(p9)), p7, 0, p8, 0);
            }
        } catch (com.paysys.nbpdigital.d.a$a v7_1) {
            com.paysys.nbpdigital.d.a$a v8_1 = p8.a();
            String v9_2 = new StringBuilder();
            v9_2.append("An error occurred: ");
            v9_2.append(v7_1.getMessage());
            v8_1.onFailure(v9_2.toString());
        }
        return;
    }

Method com.paysys.nbpdigital.d.a.a():


    private javax.crypto.Cipher a(int p7)
    {
        String v0_1 = javax.crypto.Cipher.getInstance("AES/CBC/PKCS7Padding");
        java.security.Key v1_1 = this.d.getKey("MY_APP_ALIAS", 0);
        if (v1_1 != null) {
            if (p7 != 1) {
                v0_1.init(p7, v1_1, new javax.crypto.spec.IvParameterSpec(this.h()));
            } else {
                this.i();
                String v2_2 = this.i().edit();
                v2_2.remove("ENCRYPTED_PASS_SHARED_PREF_KEY");
                v2_2.remove("LAST_USED_IV_SHARED_PREF_KEY");
                v2_2.apply();
                this.d.deleteEntry("MY_APP_ALIAS");
                this.f();
                try {
                    v0_1.init(p7, v1_1);
                } catch (String v2_4) {
                    StringBuilder v4_1 = new StringBuilder();
                    v4_1.append("Encryption error =");
                    v4_1.append(v2_4);
                    android.util.Log.d("fingerPrint", v4_1.toString());
                }
                v0_1.init(p7, v1_1);
                this.b(v0_1.getIV());
            }
            return v0_1;
        } else {
            this.f();
            android.util.Log.d("fingerPrint", "keystore = null");
            return 0;
        }
    }

Method javax.crypto.spec.IvParameterSpec.<init>() not found.

[TAINT] Const '0' ==>>> Sink '['Ljavax/crypto/spec/IvParameterSpec;', '<init>', '([B)V', '0', 'CRYPTO_SINK']' [[('Lcom/paysys/nbpdigital/fragments/LoginFragment$onClickListener;', 'onClick', '(Landroid/view/View;)V'), ('Lcom/paysys/nbpdigital/fragments/LoginFragment;', 'access$400', '(Lcom/paysys/nbpdigital/fragments/LoginFragment;)V'), ('Lcom/paysys/nbpdigital/fragments/LoginFragment;', 'InitiateTouchID', '()V'), ('Lcom/paysys/nbpdigital/d/a;', 'a', '(Landroid/os/CancellationSignal; Lcom/paysys/nbpdigital/d/a$a;)V'), ('Lcom/paysys/nbpdigital/d/a;', 'a', '(Landroid/os/CancellationSignal; Lcom/paysys/nbpdigital/d/a$b; I)V'), ('Lcom/paysys/nbpdigital/d/a;', 'a', '(I)Ljavax/crypto/Cipher;'), ('Ljavax/crypto/spec/IvParameterSpec;', '<init>', '([B)V')]]

The application uses a hardcoded initialization vector (IV) to encrypt the data

Method com.paysys.nbpdigital.fragments.LoginFragment$onClickListener.onClick():


    public void onClick(android.view.View p2)
    {
        com.paysys.nbpdigital.fragments.LoginFragment v2_4;
        com.paysys.nbpdigital.fragments.registration.RegistrationFragment v0_1;
        switch (p2.getId()) {
            case 2131296309:
                v2_4 = this.this$0.getMainActivity();
                v0_1 = new com.paysys.nbpdigital.fragments.Gmap();
                v2_4.addDockableFragment(v0_1);
                break;
            case 2131296310:
                v2_4 = this.this$0.getMainActivity();
                v0_1 = new com.paysys.nbpdigital.fragments.ContactUsFragment();
                break;
            case 2131296311:
                v2_4 = this.this$0.getMainActivity();
                v0_1 = new com.paysys.nbpdigital.fragments.FAQFragment();
                break;
            case 2131296314:
                v2_4 = this.this$0.getMainActivity();
                v0_1 = new com.paysys.nbpdigital.fragments.TNCFragment();
                break;
            case 2131296315:
                v2_4 = this.this$0.getMainActivity();
                v0_1 = new com.paysys.nbpdigital.fragments.TouchIdOperationsFragment();
                break;
            case 2131296331:
                v2_4 = this.this$0.getMainActivity();
                v0_1 = new com.paysys.nbpdigital.fragments.ForgotPasswordFragment();
                break;
            case 2131296342:
                v2_4 = this.this$0.getMainActivity();
                v0_1 = new com.paysys.nbpdigital.fragments.registration.RegistrationFragment();
                break;
            case 2131296346:
                com.paysys.nbpdigital.fragments.LoginFragment.access$100(this.this$0);
                if (!com.paysys.nbpdigital.fragments.LoginFragment.access$200(this.this$0)) {
                } else {
                    com.paysys.nbpdigital.fragments.LoginFragment.access$300(this.this$0);
                }
                break;
            case 2131296352:
                com.paysys.nbpdigital.fragments.LoginFragment.access$400(this.this$0);
                break;
            default:
        }
        return;
    }

Method com.paysys.nbpdigital.fragments.LoginFragment.access$400():


    static synthetic void access$400(com.paysys.nbpdigital.fragments.LoginFragment p0)
    {
        p0.InitiateTouchID();
        return;
    }

Method com.paysys.nbpdigital.fragments.LoginFragment.InitiateTouchID():


    private void InitiateTouchID()
    {
        if (android.os.Build$VERSION.SDK_INT >= 23) {
            if (!this.fingerPrintAuthHelper.c()) {
                this.getMainActivity().addDockableFragment(new com.paysys.nbpdigital.fragments.TouchIdFragment());
            } else {
                this.initTouchIDDialoge(this.getString(2131558507));
                this.fingerPrintAuthHelper.a(new android.os.CancellationSignal(), this.getAuthListener(1));
            }
        }
        return;
    }

Method com.paysys.nbpdigital.d.a.a():


    public void a(android.os.CancellationSignal p2, com.paysys.nbpdigital.d.a$a p3)
    {
        this.a(p2, new com.paysys.nbpdigital.d.a$c(this, p3), 2);
        return;
    }

Method com.paysys.nbpdigital.d.a.a():


    private void a(android.os.CancellationSignal p7, com.paysys.nbpdigital.d.a$b p8, int p9)
    {
        try {
            if (!this.j()) {
                p8.a().onFailure("User hasn\'t granted permission to use Fingerprint");
            } else {
                this.b.authenticate(new android.hardware.fingerprint.FingerprintManager$CryptoObject(this.a(p9)), p7, 0, p8, 0);
            }
        } catch (com.paysys.nbpdigital.d.a$a v7_1) {
            com.paysys.nbpdigital.d.a$a v8_1 = p8.a();
            String v9_2 = new StringBuilder();
            v9_2.append("An error occurred: ");
            v9_2.append(v7_1.getMessage());
            v8_1.onFailure(v9_2.toString());
        }
        return;
    }

Method com.paysys.nbpdigital.d.a.a():


    private javax.crypto.Cipher a(int p7)
    {
        String v0_1 = javax.crypto.Cipher.getInstance("AES/CBC/PKCS7Padding");
        java.security.Key v1_1 = this.d.getKey("MY_APP_ALIAS", 0);
        if (v1_1 != null) {
            if (p7 != 1) {
                v0_1.init(p7, v1_1, new javax.crypto.spec.IvParameterSpec(this.h()));
            } else {
                this.i();
                String v2_2 = this.i().edit();
                v2_2.remove("ENCRYPTED_PASS_SHARED_PREF_KEY");
                v2_2.remove("LAST_USED_IV_SHARED_PREF_KEY");
                v2_2.apply();
                this.d.deleteEntry("MY_APP_ALIAS");
                this.f();
                try {
                    v0_1.init(p7, v1_1);
                } catch (String v2_4) {
                    StringBuilder v4_1 = new StringBuilder();
                    v4_1.append("Encryption error =");
                    v4_1.append(v2_4);
                    android.util.Log.d("fingerPrint", v4_1.toString());
                }
                v0_1.init(p7, v1_1);
                this.b(v0_1.getIV());
            }
            return v0_1;
        } else {
            this.f();
            android.util.Log.d("fingerPrint", "keystore = null");
            return 0;
        }
    }

Method javax.crypto.spec.IvParameterSpec.<init>() not found.