Potentially Cryptographic Vulnerability: Hardcoded key

Description

The data is encrypted using a weak key

Recommendation

We recommend AES for general-purpose use. If you're willing to go against the grain and are paranoid, you can use Serpent, which isn't quite as fast as AES but is believed to have a much higher security margin.

If you really feel that you need the fastest possible secure solution, consider the SNOW 2.0 stream cipher, which currently looks very good. It appears to have a much better security margin than the popular favorite, RC4, and is even faster. However, it is fairly new. If you're highly risk-adverse, we recommend AES or Serpent. Although popular, RC4 would never be the best available choice.

Technical details
[TAINT] String ':' ==>>> Sink '['Ljavax/crypto/spec/SecretKeySpec;', '<init>', '([B Ljava/lang/String;)V', '0', 'CRYPTO_SINK']' [[('LiC;', 'a', '(Ljava/lang/String;)LiC$c;'), ('Ljavax/crypto/spec/SecretKeySpec;', '<init>', '([B Ljava/lang/String;)V')]]

The application uses a hardcoded secret key ':' to encrypt the data

Method iC.a():


    public static iC$c a(String p6)
    {
        java.security.InvalidKeyException v6_3 = p6.split(":");
        if (v6_3.length != 2) {
            throw new IllegalArgumentException("Cannot parse aesKey:hmacKey");
        } else {
            String v2_1 = android.util.Base64.decode(v6_3[0], 2);
            if (v2_1.length != 16) {
                throw new java.security.InvalidKeyException("Base64 decoded key is not 128 bytes");
            } else {
                java.security.InvalidKeyException v6_5 = android.util.Base64.decode(v6_3[1], 2);
                if (v6_5.length != 32) {
                    throw new java.security.InvalidKeyException("Base64 decoded key is not 256 bytes");
                } else {
                    return new iC$c(new javax.crypto.spec.SecretKeySpec(v2_1, 0, v2_1.length, "AES"), new javax.crypto.spec.SecretKeySpec(v6_5, "HmacSHA256"));
                }
            }
        }
    }

Method javax.crypto.spec.SecretKeySpec.<init>() not found.

[TAINT] String ':' ==>>> Sink '['Ljavax/crypto/spec/SecretKeySpec;', '<init>', '([B I I Ljava/lang/String;)V', '0', 'CRYPTO_SINK']' [[('LiC;', 'a', '(Ljava/lang/String;)LiC$c;'), ('Ljavax/crypto/spec/SecretKeySpec;', '<init>', '([B I I Ljava/lang/String;)V')]]

The application uses a hardcoded secret key ':' to encrypt the data

Method iC.a():


    public static iC$c a(String p6)
    {
        java.security.InvalidKeyException v6_3 = p6.split(":");
        if (v6_3.length != 2) {
            throw new IllegalArgumentException("Cannot parse aesKey:hmacKey");
        } else {
            String v2_1 = android.util.Base64.decode(v6_3[0], 2);
            if (v2_1.length != 16) {
                throw new java.security.InvalidKeyException("Base64 decoded key is not 128 bytes");
            } else {
                java.security.InvalidKeyException v6_5 = android.util.Base64.decode(v6_3[1], 2);
                if (v6_5.length != 32) {
                    throw new java.security.InvalidKeyException("Base64 decoded key is not 256 bytes");
                } else {
                    return new iC$c(new javax.crypto.spec.SecretKeySpec(v2_1, 0, v2_1.length, "AES"), new javax.crypto.spec.SecretKeySpec(v6_5, "HmacSHA256"));
                }
            }
        }
    }

Method javax.crypto.spec.SecretKeySpec.<init>() not found.