Potentially Use non-random initialization vector (IV)

Description

Use of a non-random initialization vector makes the application vulnerable to dictionary attacks.

The following example demonstrates improper settings of hardcoded static IV:

public class InsecureExample {
    @Override
    public void run() throws Exception{
        byte[] IV = "0123456789abcdef".getBytes();
        String clearText = "Jan van Eyck was here 1434";
        String key = "ThisIs128bitSize";
        SecretKeySpec skeySpec = new SecretKeySpec(key.getBytes(), "AES");
        Cipher cipher = Cipher.getInstance("AES/CBC/PKCS5Padding");
        cipher.init(Cipher.ENCRYPT_MODE, skeySpec, new IvParameterSpec(IV));
        byte[] encryptedMessage = cipher.doFinal(clearText.getBytes());
        Log.i(TAG, String.format("Message: %s", Base64.encodeToString(encryptedMessage, Base64.DEFAULT)));
    }
}

Recommendation

Properly initialize the IV with a secure random value

Technical details
[TAINT] Const '0' ==>>> Sink '['Ljavax/crypto/spec/IvParameterSpec;', '<init>', '([B I I)V', '1', 'CRYPTO_SINK']' [[('Lcom/microsoft/appcenter/utils/crypto/CryptoAesHandler;', 'decrypt', '(Lcom/microsoft/appcenter/utils/crypto/CryptoUtils$ICryptoFactory; I Ljava/security/KeyStore$Entry; [B)[B'), ('Ljavax/crypto/spec/IvParameterSpec;', '<init>', '([B I I)V')]]

The application uses a hardcoded initialization vector (IV) to encrypt the data

Method com.microsoft.appcenter.utils.crypto.CryptoAesHandler.decrypt():


    public byte[] decrypt(com.microsoft.appcenter.utils.crypto.CryptoUtils$ICryptoFactory p6, int p7, java.security.KeyStore$Entry p8, byte[] p9)
    {
        com.microsoft.appcenter.utils.crypto.CryptoUtils$ICipher v1 = p6.getCipher("AES/CBC/PKCS7Padding", "AndroidKeyStoreBCWorkaround");
        int v0 = v1.getBlockSize();
        v1.init(2, ((java.security.KeyStore$SecretKeyEntry) p8).getSecretKey(), new javax.crypto.spec.IvParameterSpec(p9, 0, v0));
        return v1.doFinal(p9, v0, (p9.length - v0));
    }

Method javax.crypto.spec.IvParameterSpec.<init>() not found.