Potentially Use non-random initialization vector (IV)

Description

Use of a non-random initialization vector makes the application vulnerable to dictionary attacks.

The following example demonstrates improper settings of hardcoded static IV:

public class InsecureExample {
    @Override
    public void run() throws Exception{
        byte[] IV = "0123456789abcdef".getBytes();
        String clearText = "Jan van Eyck was here 1434";
        String key = "ThisIs128bitSize";
        SecretKeySpec skeySpec = new SecretKeySpec(key.getBytes(), "AES");
        Cipher cipher = Cipher.getInstance("AES/CBC/PKCS5Padding");
        cipher.init(Cipher.ENCRYPT_MODE, skeySpec, new IvParameterSpec(IV));
        byte[] encryptedMessage = cipher.doFinal(clearText.getBytes());
        Log.i(TAG, String.format("Message: %s", Base64.encodeToString(encryptedMessage, Base64.DEFAULT)));
    }
}

Recommendation

Properly initialize the IV with a secure random value

Technical details
[TAINT] String 'UTF8' ==>>> Sink '['Ljavax/crypto/spec/IvParameterSpec;', '<init>', '([B)V', '0', 'CRYPTO_SINK']' [[('LOB;', 'g', '()Ljava/lang/String;'), ('LTB;', 'a', '()Ljava/lang/String;'), ('LWB;', 'a', '(Ljava/lang/String;)Ljava/lang/String;'), ('Ljavax/crypto/spec/IvParameterSpec;', '<init>', '([B)V')]]

The application uses a hardcoded initialization vector (IV) to encrypt the data

Method OB.g():


    public String g()
    {
        String v0_0 = this.o;
        if (v0_0 != null) {
            return v0_0.a();
        } else {
            return "";
        }
    }

Method TB.a():


    public String a()
    {
        return WB.a(this.e);
    }

Method WB.a():


    public static String a(String p4)
    {
        if (!android.text.TextUtils.isEmpty(p4)) {
            try {
                javax.crypto.SecretKey v1_0 = javax.crypto.SecretKeyFactory.getInstance("DES").generateSecret(new javax.crypto.spec.DESKeySpec(WB.a.getBytes("UTF8")));
                javax.crypto.spec.IvParameterSpec v2_2 = new javax.crypto.spec.IvParameterSpec(WB.a.getBytes("UTF8"));
                String v4_1 = android.util.Base64.decode(p4, 0);
                String v0_4 = javax.crypto.Cipher.getInstance("DES/CFB/NoPadding");
                v0_4.init(2, v1_0, v2_2);
                return new String(v0_4.doFinal(v4_1));
            } catch (String v4_3) {
                v4_3.printStackTrace();
                return "";
            } catch (String v4_3) {
                v4_3.printStackTrace();
                return "";
            } catch (String v4_3) {
                v4_3.printStackTrace();
                return "";
            } catch (String v4_3) {
                v4_3.printStackTrace();
                return "";
            } catch (String v4_3) {
                v4_3.printStackTrace();
                return "";
            } catch (String v4_3) {
                v4_3.printStackTrace();
                return "";
            } catch (String v4_3) {
                v4_3.printStackTrace();
                return "";
            } catch (String v4_3) {
                v4_3.printStackTrace();
                return "";
            }
        } else {
            return p4;
        }
    }

Method javax.crypto.spec.IvParameterSpec.<init>() not found.

[TAINT] String 'UTF8' ==>>> Sink '['Ljavax/crypto/spec/IvParameterSpec;', '<init>', '([B)V', '0', 'CRYPTO_SINK']' [[('LTB;', 'a', '()Ljava/lang/String;'), ('LWB;', 'a', '(Ljava/lang/String;)Ljava/lang/String;'), ('Ljavax/crypto/spec/IvParameterSpec;', '<init>', '([B)V')]]

The application uses a hardcoded initialization vector (IV) to encrypt the data

Method TB.a():


    public String a()
    {
        return WB.a(this.e);
    }

Method WB.a():


    public static String a(String p4)
    {
        if (!android.text.TextUtils.isEmpty(p4)) {
            try {
                javax.crypto.SecretKey v1_0 = javax.crypto.SecretKeyFactory.getInstance("DES").generateSecret(new javax.crypto.spec.DESKeySpec(WB.a.getBytes("UTF8")));
                javax.crypto.spec.IvParameterSpec v2_2 = new javax.crypto.spec.IvParameterSpec(WB.a.getBytes("UTF8"));
                String v4_1 = android.util.Base64.decode(p4, 0);
                String v0_4 = javax.crypto.Cipher.getInstance("DES/CFB/NoPadding");
                v0_4.init(2, v1_0, v2_2);
                return new String(v0_4.doFinal(v4_1));
            } catch (String v4_3) {
                v4_3.printStackTrace();
                return "";
            } catch (String v4_3) {
                v4_3.printStackTrace();
                return "";
            } catch (String v4_3) {
                v4_3.printStackTrace();
                return "";
            } catch (String v4_3) {
                v4_3.printStackTrace();
                return "";
            } catch (String v4_3) {
                v4_3.printStackTrace();
                return "";
            } catch (String v4_3) {
                v4_3.printStackTrace();
                return "";
            } catch (String v4_3) {
                v4_3.printStackTrace();
                return "";
            } catch (String v4_3) {
                v4_3.printStackTrace();
                return "";
            }
        } else {
            return p4;
        }
    }

Method javax.crypto.spec.IvParameterSpec.<init>() not found.

[TAINT] String 'UTF8' ==>>> Sink '['Ljavax/crypto/spec/IvParameterSpec;', '<init>', '([B)V', '0', 'CRYPTO_SINK']' [[('LTB;', 'a', '(Ljava/lang/String;)V'), ('LWB;', 'b', '(Ljava/lang/String;)Ljava/lang/String;'), ('Ljavax/crypto/spec/IvParameterSpec;', '<init>', '([B)V')]]

The application uses a hardcoded initialization vector (IV) to encrypt the data

Method TB.a():


    public void a(String p1)
    {
        this.e = WB.b(p1);
        return;
    }

Method WB.b():


    public static String b(String p6)
    {
        if (!android.text.TextUtils.isEmpty(p6)) {
            try {
                int v2_0 = javax.crypto.SecretKeyFactory.getInstance("DES").generateSecret(new javax.crypto.spec.DESKeySpec(WB.a.getBytes("UTF8")));
                javax.crypto.spec.IvParameterSpec v3_3 = new javax.crypto.spec.IvParameterSpec(WB.a.getBytes("UTF8"));
                String v0_1 = p6.getBytes("UTF8");
                javax.crypto.Cipher v4_3 = javax.crypto.Cipher.getInstance("DES/CFB/NoPadding");
                v4_3.init(1, v2_0, v3_3);
                String v0_3 = android.util.Base64.encodeToString(v4_3.doFinal(v0_1), 0);
            } catch (String v6_1) {
                v6_1.printStackTrace();
                p6 = "";
                v0_3 = "";
            } catch (String v6_1) {
            } catch (String v6_1) {
            } catch (String v6_1) {
            } catch (String v6_1) {
            } catch (String v6_1) {
            } catch (String v6_1) {
            } catch (String v6_1) {
            }
            if (p6.equals(v0_3)) {
                v0_3 = "";
            }
            return v0_3;
        } else {
            return p6;
        }
    }

Method javax.crypto.spec.IvParameterSpec.<init>() not found.

[TAINT] String 'UTF8' ==>>> Sink '['Ljavax/crypto/spec/IvParameterSpec;', '<init>', '([B)V', '0', 'CRYPTO_SINK']' [[('LWB;', 'a', '(Ljava/lang/String;)Ljava/lang/String;'), ('Ljavax/crypto/spec/IvParameterSpec;', '<init>', '([B)V')]]

The application uses a hardcoded initialization vector (IV) to encrypt the data

Method WB.a():


    public static String a(String p4)
    {
        if (!android.text.TextUtils.isEmpty(p4)) {
            try {
                javax.crypto.SecretKey v1_0 = javax.crypto.SecretKeyFactory.getInstance("DES").generateSecret(new javax.crypto.spec.DESKeySpec(WB.a.getBytes("UTF8")));
                javax.crypto.spec.IvParameterSpec v2_2 = new javax.crypto.spec.IvParameterSpec(WB.a.getBytes("UTF8"));
                String v4_1 = android.util.Base64.decode(p4, 0);
                String v0_4 = javax.crypto.Cipher.getInstance("DES/CFB/NoPadding");
                v0_4.init(2, v1_0, v2_2);
                return new String(v0_4.doFinal(v4_1));
            } catch (String v4_3) {
                v4_3.printStackTrace();
                return "";
            } catch (String v4_3) {
                v4_3.printStackTrace();
                return "";
            } catch (String v4_3) {
                v4_3.printStackTrace();
                return "";
            } catch (String v4_3) {
                v4_3.printStackTrace();
                return "";
            } catch (String v4_3) {
                v4_3.printStackTrace();
                return "";
            } catch (String v4_3) {
                v4_3.printStackTrace();
                return "";
            } catch (String v4_3) {
                v4_3.printStackTrace();
                return "";
            } catch (String v4_3) {
                v4_3.printStackTrace();
                return "";
            }
        } else {
            return p4;
        }
    }

Method javax.crypto.spec.IvParameterSpec.<init>() not found.

[TAINT] String 'UTF8' ==>>> Sink '['Ljavax/crypto/spec/IvParameterSpec;', '<init>', '([B)V', '0', 'CRYPTO_SINK']' [[('LWB;', 'b', '(Ljava/lang/String;)Ljava/lang/String;'), ('Ljavax/crypto/spec/IvParameterSpec;', '<init>', '([B)V')]]

The application uses a hardcoded initialization vector (IV) to encrypt the data

Method WB.b():


    public static String b(String p6)
    {
        if (!android.text.TextUtils.isEmpty(p6)) {
            try {
                int v2_0 = javax.crypto.SecretKeyFactory.getInstance("DES").generateSecret(new javax.crypto.spec.DESKeySpec(WB.a.getBytes("UTF8")));
                javax.crypto.spec.IvParameterSpec v3_3 = new javax.crypto.spec.IvParameterSpec(WB.a.getBytes("UTF8"));
                String v0_1 = p6.getBytes("UTF8");
                javax.crypto.Cipher v4_3 = javax.crypto.Cipher.getInstance("DES/CFB/NoPadding");
                v4_3.init(1, v2_0, v3_3);
                String v0_3 = android.util.Base64.encodeToString(v4_3.doFinal(v0_1), 0);
            } catch (String v6_1) {
                v6_1.printStackTrace();
                p6 = "";
                v0_3 = "";
            } catch (String v6_1) {
            } catch (String v6_1) {
            } catch (String v6_1) {
            } catch (String v6_1) {
            } catch (String v6_1) {
            } catch (String v6_1) {
            } catch (String v6_1) {
            }
            if (p6.equals(v0_3)) {
                v0_3 = "";
            }
            return v0_3;
        } else {
            return p6;
        }
    }

Method javax.crypto.spec.IvParameterSpec.<init>() not found.