Potentially Cryptographic Vulnerability: Insecure Algorithm

Description

The mode of operation used to encrypt the data is vulnerable. If AES is used without specifying the mode, the default mode is the insecure ECB mode.

Recommendation

We recommend AES for general-purpose use. If you're willing to go against the grain and are paranoid, you can use Serpent, which isn't quite as fast as AES but is believed to have a much higher security margin.

If you really feel that you need the fastest possible secure solution, consider the SNOW 2.0 stream cipher, which currently looks very good. It appears to have a much better security margin than the popular favorite, RC4, and is even faster. However, it is fairly new. If you're highly risk-adverse, we recommend AES or Serpent. Although popular, RC4 would never be the best available choice.

Technical details
[TAINT] String 'AES' ==>>> Sink '['Ljavax/crypto/Cipher;', 'getInstance', '(Ljava/lang/String;)Ljavax/crypto/Cipher;', '0', 'CRYPTO_SINK']' [[('Lcom/mobatia/dev/encryptpro/EncrptClass;', 'decrypt', '(Ljava/lang/String;)Ljava/lang/String;'), ('Lcom/mobatia/dev/encryptpro/EncrptClass;', 'decrypt', '([B)[B'), ('Ljavax/crypto/Cipher;', 'getInstance', '(Ljava/lang/String;)Ljavax/crypto/Cipher;')]]

The insecure algorithm AES is used.

Method com.mobatia.dev.encryptpro.EncrptClass.decrypt():


    public static String decrypt(String p1)
    {
        return new String(com.mobatia.dev.encryptpro.EncrptClass.decrypt(com.mobatia.dev.encryptpro.EncrptClass.toByte(p1)));
    }

Method com.mobatia.dev.encryptpro.EncrptClass.decrypt():


    private static byte[] decrypt(byte[] p3)
    {
        javax.crypto.spec.SecretKeySpec v0_1 = new javax.crypto.spec.SecretKeySpec(com.mobatia.dev.encryptpro.EncrptClass.keyValue, "AES");
        javax.crypto.Cipher v1_2 = javax.crypto.Cipher.getInstance("AES");
        v1_2.init(2, v0_1);
        return v1_2.doFinal(p3);
    }

Method javax.crypto.Cipher.getInstance() not found.

[TAINT] String 'AES' ==>>> Sink '['Ljavax/crypto/Cipher;', 'getInstance', '(Ljava/lang/String;)Ljavax/crypto/Cipher;', '0', 'CRYPTO_SINK']' [[('Lcom/mobatia/dev/encryptpro/EncrptClass;', 'decrypt', '([B)[B'), ('Ljavax/crypto/Cipher;', 'getInstance', '(Ljava/lang/String;)Ljavax/crypto/Cipher;')]]

The insecure algorithm AES is used.

Method com.mobatia.dev.encryptpro.EncrptClass.decrypt():


    private static byte[] decrypt(byte[] p3)
    {
        javax.crypto.spec.SecretKeySpec v0_1 = new javax.crypto.spec.SecretKeySpec(com.mobatia.dev.encryptpro.EncrptClass.keyValue, "AES");
        javax.crypto.Cipher v1_2 = javax.crypto.Cipher.getInstance("AES");
        v1_2.init(2, v0_1);
        return v1_2.doFinal(p3);
    }

Method javax.crypto.Cipher.getInstance() not found.

[TAINT] String 'AES' ==>>> Sink '['Ljavax/crypto/Cipher;', 'getInstance', '(Ljava/lang/String;)Ljavax/crypto/Cipher;', '0', 'CRYPTO_SINK']' [[('Lcom/mobatia/dev/encryptpro/EncrptClass;', 'encrypt', '(Ljava/lang/String;)Ljava/lang/String;'), ('Lcom/mobatia/dev/encryptpro/EncrptClass;', 'encrypt', '([B [B)[B'), ('Ljavax/crypto/Cipher;', 'getInstance', '(Ljava/lang/String;)Ljavax/crypto/Cipher;')]]

The insecure algorithm AES is used.

Method com.mobatia.dev.encryptpro.EncrptClass.encrypt():


    public static String encrypt(String p1)
    {
        return com.mobatia.dev.encryptpro.EncrptClass.toHex(com.mobatia.dev.encryptpro.EncrptClass.encrypt(com.mobatia.dev.encryptpro.EncrptClass.getRawKey(), p1.getBytes()));
    }

Method com.mobatia.dev.encryptpro.EncrptClass.encrypt():


    private static byte[] encrypt(byte[] p2, byte[] p3)
    {
        javax.crypto.spec.SecretKeySpec v0_1 = new javax.crypto.spec.SecretKeySpec(p2, "AES");
        byte[] v2_2 = javax.crypto.Cipher.getInstance("AES");
        v2_2.init(1, v0_1);
        return v2_2.doFinal(p3);
    }

Method javax.crypto.Cipher.getInstance() not found.

[TAINT] String 'AES' ==>>> Sink '['Ljavax/crypto/Cipher;', 'getInstance', '(Ljava/lang/String;)Ljavax/crypto/Cipher;', '0', 'CRYPTO_SINK']' [[('Lcom/mobatia/dev/encryptpro/EncrptClass;', 'encrypt', '([B [B)[B'), ('Ljavax/crypto/Cipher;', 'getInstance', '(Ljava/lang/String;)Ljavax/crypto/Cipher;')]]

The insecure algorithm AES is used.

Method com.mobatia.dev.encryptpro.EncrptClass.encrypt():


    private static byte[] encrypt(byte[] p2, byte[] p3)
    {
        javax.crypto.spec.SecretKeySpec v0_1 = new javax.crypto.spec.SecretKeySpec(p2, "AES");
        byte[] v2_2 = javax.crypto.Cipher.getInstance("AES");
        v2_2.init(1, v0_1);
        return v2_2.doFinal(p3);
    }

Method javax.crypto.Cipher.getInstance() not found.

[TAINT] String 'AES' ==>>> Sink '['Ljavax/crypto/Cipher;', 'getInstance', '(Ljava/lang/String;)Ljavax/crypto/Cipher;', '0', 'CRYPTO_SINK']' [[('Lcom/mobatia/dev/encryptpro/NewEncrypt;', 'decrypt', '([B [B)[B'), ('Ljavax/crypto/Cipher;', 'getInstance', '(Ljava/lang/String;)Ljavax/crypto/Cipher;')]]

The insecure algorithm AES is used.

Method com.mobatia.dev.encryptpro.NewEncrypt.decrypt():


    public static byte[] decrypt(byte[] p2, byte[] p3)
    {
        javax.crypto.spec.SecretKeySpec v0_1 = new javax.crypto.spec.SecretKeySpec(p2, "AES");
        byte[] v2_2 = javax.crypto.Cipher.getInstance("AES");
        v2_2.init(2, v0_1);
        return v2_2.doFinal(p3);
    }

Method javax.crypto.Cipher.getInstance() not found.

[TAINT] String 'AES' ==>>> Sink '['Ljavax/crypto/Cipher;', 'getInstance', '(Ljava/lang/String;)Ljavax/crypto/Cipher;', '0', 'CRYPTO_SINK']' [[('Lcom/mobatia/dev/encryptpro/NewEncrypt;', 'encrypt', '([B [B)[B'), ('Ljavax/crypto/Cipher;', 'getInstance', '(Ljava/lang/String;)Ljavax/crypto/Cipher;')]]

The insecure algorithm AES is used.

Method com.mobatia.dev.encryptpro.NewEncrypt.encrypt():


    public static byte[] encrypt(byte[] p2, byte[] p3)
    {
        javax.crypto.spec.SecretKeySpec v0_1 = new javax.crypto.spec.SecretKeySpec(p2, "AES");
        byte[] v2_2 = javax.crypto.Cipher.getInstance("AES");
        v2_2.init(1, v0_1);
        return v2_2.doFinal(p3);
    }

Method javax.crypto.Cipher.getInstance() not found.

[TAINT] String 'AES' ==>>> Sink '['Ljavax/crypto/Cipher;', 'getInstance', '(Ljava/lang/String;)Ljavax/crypto/Cipher;', '0', 'CRYPTO_SINK']' [[('Lcom/mobatia/dev/encryptpro/NewTest$1;', 'onClick', '(Landroid/view/View;)V'), ('Lcom/mobatia/dev/encryptpro/NewEncrypt;', 'encrypt', '([B [B)[B'), ('Ljavax/crypto/Cipher;', 'getInstance', '(Ljava/lang/String;)Ljavax/crypto/Cipher;')]]

The insecure algorithm AES is used.

Method com.mobatia.dev.encryptpro.NewTest$1.onClick():


    public void onClick(android.view.View p4)
    {
        try {
            this.this$0.encrypted = com.mobatia.dev.encryptpro.NewEncrypt.encrypt(this.val$data, this.this$0.actualTxt.getText().toString().trim().getBytes());
            Exception v4_3 = android.util.Base64.encodeToString(this.this$0.encrypted, 0);
            this.this$0.encryptTxt.setText(v4_3);
            StringBuilder v1_3 = new StringBuilder();
            v1_3.append("crypted: ");
            v1_3.append(v4_3);
            android.util.Log.d("CRYPTO-TEST", v1_3.toString());
        } catch (Exception v4_5) {
            v4_5.printStackTrace();
        }
        return;
    }

Method com.mobatia.dev.encryptpro.NewEncrypt.encrypt():


    public static byte[] encrypt(byte[] p2, byte[] p3)
    {
        javax.crypto.spec.SecretKeySpec v0_1 = new javax.crypto.spec.SecretKeySpec(p2, "AES");
        byte[] v2_2 = javax.crypto.Cipher.getInstance("AES");
        v2_2.init(1, v0_1);
        return v2_2.doFinal(p3);
    }

Method javax.crypto.Cipher.getInstance() not found.

[TAINT] String 'AES' ==>>> Sink '['Ljavax/crypto/Cipher;', 'getInstance', '(Ljava/lang/String;)Ljavax/crypto/Cipher;', '0', 'CRYPTO_SINK']' [[('Lcom/mobatia/dev/encryptpro/NewTest$2;', 'onClick', '(Landroid/view/View;)V'), ('Lcom/mobatia/dev/encryptpro/NewEncrypt;', 'decrypt', '([B [B)[B'), ('Ljavax/crypto/Cipher;', 'getInstance', '(Ljava/lang/String;)Ljavax/crypto/Cipher;')]]

The insecure algorithm AES is used.

Method com.mobatia.dev.encryptpro.NewTest$2.onClick():


    public void onClick(android.view.View p3)
    {
        try {
            this.this$0.decrypted = com.mobatia.dev.encryptpro.NewEncrypt.decrypt(this.val$data, this.this$0.encrypted);
            this.this$0.decryptednmew = android.util.Base64.decode(android.util.Base64.encodeToString(this.this$0.decrypted, 0), 0);
            this.this$0.decryptedStrng = new String(this.this$0.decryptednmew);
            this.this$0.decryptTxt.setText(this.this$0.decryptedStrng);
            String v0_8 = new StringBuilder();
            v0_8.append("decrypted: ");
            v0_8.append(this.this$0.decryptedStrng);
            android.util.Log.d("CRYPTO-TEST", v0_8.toString());
        } catch (Exception v3_8) {
            v3_8.printStackTrace();
        }
        return;
    }

Method com.mobatia.dev.encryptpro.NewEncrypt.decrypt():


    public static byte[] decrypt(byte[] p2, byte[] p3)
    {
        javax.crypto.spec.SecretKeySpec v0_1 = new javax.crypto.spec.SecretKeySpec(p2, "AES");
        byte[] v2_2 = javax.crypto.Cipher.getInstance("AES");
        v2_2.init(2, v0_1);
        return v2_2.doFinal(p3);
    }

Method javax.crypto.Cipher.getInstance() not found.

[TAINT] String 'AES' ==>>> Sink '['Ljavax/crypto/Cipher;', 'getInstance', '(Ljava/lang/String;)Ljavax/crypto/Cipher;', '0', 'CRYPTO_SINK']' [[('Lcom/mobatia/dev/encryptpro/SimpleCrypto;', 'decrypt', '([B [B)[B'), ('Ljavax/crypto/Cipher;', 'getInstance', '(Ljava/lang/String;)Ljavax/crypto/Cipher;')]]

The insecure algorithm AES is used.

Method com.mobatia.dev.encryptpro.SimpleCrypto.decrypt():


    private static byte[] decrypt(byte[] p2, byte[] p3)
    {
        javax.crypto.spec.SecretKeySpec v0_1 = new javax.crypto.spec.SecretKeySpec(p2, "AES");
        byte[] v2_2 = javax.crypto.Cipher.getInstance("AES");
        v2_2.init(2, v0_1);
        return v2_2.doFinal(p3);
    }

Method javax.crypto.Cipher.getInstance() not found.

[TAINT] String 'AES' ==>>> Sink '['Ljavax/crypto/Cipher;', 'getInstance', '(Ljava/lang/String;)Ljavax/crypto/Cipher;', '0', 'CRYPTO_SINK']' [[('Lcom/mobatia/dev/encryptpro/SimpleCrypto;', 'encrypt', '([B [B)[B'), ('Ljavax/crypto/Cipher;', 'getInstance', '(Ljava/lang/String;)Ljavax/crypto/Cipher;')]]

The insecure algorithm AES is used.

Method com.mobatia.dev.encryptpro.SimpleCrypto.encrypt():


    private static byte[] encrypt(byte[] p2, byte[] p3)
    {
        javax.crypto.spec.SecretKeySpec v0_1 = new javax.crypto.spec.SecretKeySpec(p2, "AES");
        byte[] v2_2 = javax.crypto.Cipher.getInstance("AES");
        v2_2.init(1, v0_1);
        return v2_2.doFinal(p3);
    }

Method javax.crypto.Cipher.getInstance() not found.