Potentially Cryptographic Vulnerability: Insecure Algorithm

Description

The mode of operation used to encrypt the data is vulnerable. If AES is used without specifying the mode, the default mode is the insecure ECB mode.

Recommendation

We recommend AES for general-purpose use. If you're willing to go against the grain and are paranoid, you can use Serpent, which isn't quite as fast as AES but is believed to have a much higher security margin.

If you really feel that you need the fastest possible secure solution, consider the SNOW 2.0 stream cipher, which currently looks very good. It appears to have a much better security margin than the popular favorite, RC4, and is even faster. However, it is fairly new. If you're highly risk-adverse, we recommend AES or Serpent. Although popular, RC4 would never be the best available choice.

Technical details
[TAINT] String 'AES' ==>>> Sink '['Ljavax/crypto/KeyGenerator;', 'getInstance', '(Ljava/lang/String; Ljava/lang/String;)Ljavax/crypto/KeyGenerator;', '0', 'CRYPTO_SINK']' [[('Lc/b/a/b/b;', 'onClick', '(Landroid/view/View;)V'), ('Lc/b/a/b/T;', 'b', '(Landroid/view/View;)V'), ('Lc/b/a/b/T;', 'a', '(Ljava/lang/Boolean;)V'), ('Lc/b/a/b/T;', 'mb', '()V'), ('Ljavax/crypto/KeyGenerator;', 'getInstance', '(Ljava/lang/String; Ljava/lang/String;)Ljavax/crypto/KeyGenerator;')]]

The insecure algorithm AES is used.

Method c.b.a.b.b.onClick():


    public final void onClick(android.view.View p2)
    {
        this.a.b(p2);
        return;
    }

Method c.b.a.b.T.b():


    public synthetic void b(android.view.View p5)
    {
        this.ma = ((android.app.KeyguardManager) this.ma().getSystemService("keyguard"));
        if (android.os.Build$VERSION.SDK_INT < 23) {
            android.widget.Toast.makeText(this.ma(), "Device does not support Touch ID", 0).show();
            this.ia.setChecked(0);
            this.ka.a(com.digitalticks.trade.CommonCode.a.k, "no");
        } else {
            this.la = ((android.hardware.fingerprint.FingerprintManager) this.ma().getSystemService("fingerprint"));
            Boolean v5_4 = this.la;
            if ((v5_4 == null) || (!v5_4.isHardwareDetected())) {
            } else {
                this.a(Boolean.valueOf(this.ia.isChecked()));
            }
        }
        return;
    }

Method c.b.a.b.T.a():


    public void a(Boolean p4)
    {
        android.app.Dialog v4_2;
        c.b.a.b.T.Y = new android.app.Dialog(this.ma());
        c.b.a.b.T.Y.requestWindowFeature(1);
        c.b.a.b.T.Y.setCancelable(0);
        android.hardware.fingerprint.FingerprintManager$CryptoObject v0_3 = this.ma().getLayoutInflater().inflate(2131493077, 0);
        c.b.a.b.T.Y.setContentView(v0_3);
        c.b.a.b.T.Z = ((android.widget.TextView) v0_3.findViewById(2131296521));
        if (!p4.booleanValue()) {
            v4_2 = "Disable";
        } else {
            v4_2 = "Enable";
        }
        ((android.widget.TextView) v0_3.findViewById(2131296985)).setText(v4_2);
        android.app.Dialog v4_5 = ((android.widget.Button) v0_3.findViewById(2131296828));
        android.hardware.fingerprint.FingerprintManager$CryptoObject v0_6 = c.b.a.b.T.Y.getWindow();
        c.b.a.b.T.Y.getWindow().setBackgroundDrawableResource(17170445);
        v0_6.setLayout(-1, -2);
        if (a.b.f.a.a.a(this.ma(), "android.permission.USE_FINGERPRINT") == 0) {
            if (android.os.Build$VERSION.SDK_INT >= 23) {
                com.digitalticks.trade.CommonCode.d v1_18;
                android.hardware.fingerprint.FingerprintManager$CryptoObject v0_19;
                android.hardware.fingerprint.FingerprintManager$CryptoObject v0_11 = this.la;
                if ((v0_11 == null) || (v0_11.hasEnrolledFingerprints())) {
                    if (this.ma.isKeyguardSecure()) {
                        this.mb();
                        if (!this.lb()) {
                            v4_5.setOnClickListener(new c.b.a.b.N(this));
                            c.b.a.b.T.Y.show();
                            return;
                        } else {
                            new com.digitalticks.trade.CommonCode.d(this.ma()).a(this.la, new android.hardware.fingerprint.FingerprintManager$CryptoObject(this.pa));
                        }
                    } else {
                        v0_19 = c.b.a.b.T.Z;
                        v1_18 = "Lock screen security not enabled in Settings";
                    }
                } else {
                    v0_19 = c.b.a.b.T.Z;
                    v1_18 = "Register at least one fingerprint in Settings";
                }
                v0_19.setText(v1_18);
            }
        } else {
            c.b.a.b.T.Z.setText("Fingerprint authentication permission not enabled");
        }
        c.b.a.b.T.Y.show();
        return;
    }

Method c.b.a.b.T.mb():


    protected void mb()
    {
        try {
            this.na = java.security.KeyStore.getInstance("AndroidKeyStore");
            try {
                java.io.IOException v0_3 = javax.crypto.KeyGenerator.getInstance("AES", "AndroidKeyStore");
                try {
                    this.na.load(0);
                    RuntimeException v1_5 = new android.security.keystore.KeyGenParameterSpec$Builder("DT", 3);
                    String v3_1 = new String[1];
                    v3_1[0] = "CBC";
                    RuntimeException v1_7 = v1_5.setBlockModes(v3_1).setUserAuthenticationRequired(1);
                    String v2_4 = new String[1];
                    v2_4[0] = "PKCS7Padding";
                    v0_3.init(v1_7.setEncryptionPaddings(v2_4).build());
                    v0_3.generateKey();
                    return;
                } catch (java.io.IOException v0_2) {
                    throw new RuntimeException(v0_2);
                } catch (java.io.IOException v0_2) {
                } catch (java.io.IOException v0_2) {
                } catch (java.io.IOException v0_2) {
                }
            } catch (java.io.IOException v0_1) {
                throw new RuntimeException("Failed to get KeyGenerator instance", v0_1);
            } catch (java.io.IOException v0_1) {
            }
            this.na.load(0);
            v1_5 = new android.security.keystore.KeyGenParameterSpec$Builder("DT", 3);
            v3_1 = new String[1];
            v3_1[0] = "CBC";
            v1_7 = v1_5.setBlockModes(v3_1).setUserAuthenticationRequired(1);
            v2_4 = new String[1];
            v2_4[0] = "PKCS7Padding";
            v0_3.init(v1_7.setEncryptionPaddings(v2_4).build());
            v0_3.generateKey();
            return;
        } catch (RuntimeException v1_10) {
            v1_10.printStackTrace();
        }
    }

Method javax.crypto.KeyGenerator.getInstance() not found.