Potentially Cryptographic Vulnerability: Hardcoded key

Description

The data is encrypted using a weak key

Recommendation

We recommend AES for general-purpose use. If you're willing to go against the grain and are paranoid, you can use Serpent, which isn't quite as fast as AES but is believed to have a much higher security margin.

If you really feel that you need the fastest possible secure solution, consider the SNOW 2.0 stream cipher, which currently looks very good. It appears to have a much better security margin than the popular favorite, RC4, and is even faster. However, it is fairly new. If you're highly risk-adverse, we recommend AES or Serpent. Although popular, RC4 would never be the best available choice.

Technical details
[TAINT] String 'exampleSalt' ==>>> Sink '['Ljavax/crypto/spec/SecretKeySpec;', '<init>', '([B Ljava/lang/String;)V', '0', 'CRYPTO_SINK']' [[('Lcom/mobatia/dev/encryptpro/AES256Cipher;', 'decrypt', '(Ljava/lang/String;)Ljava/lang/String;'), ('Ljavax/crypto/spec/SecretKeySpec;', '<init>', '([B Ljava/lang/String;)V')]]

The application uses a hardcoded secret key 'exampleSalt' to encrypt the data

Method com.mobatia.dev.encryptpro.AES256Cipher.decrypt():


    public static String decrypt(String p4)
    {
        byte[] v4_1 = android.util.Base64.decode(p4, 0);
        String v0_4 = new javax.crypto.spec.SecretKeySpec(com.mobatia.dev.encryptpro.AES256Cipher.getRaw("sampleText", "exampleSalt"), "AES");
        String v1_1 = javax.crypto.Cipher.getInstance("AES/CBC/PKCS5Padding");
        v1_1.init(2, v0_4, new javax.crypto.spec.IvParameterSpec("8119745113154120".getBytes()));
        return new String(v1_1.doFinal(v4_1), "UTF-8");
    }

Method javax.crypto.spec.SecretKeySpec.<init>() not found.

[TAINT] String 'sampleText' ==>>> Sink '['Ljavax/crypto/spec/SecretKeySpec;', '<init>', '([B Ljava/lang/String;)V', '0', 'CRYPTO_SINK']' [[('Lcom/mobatia/dev/encryptpro/AES256Cipher;', 'decrypt', '(Ljava/lang/String;)Ljava/lang/String;'), ('Ljavax/crypto/spec/SecretKeySpec;', '<init>', '([B Ljava/lang/String;)V')]]

The application uses a hardcoded secret key 'sampleText' to encrypt the data

Method com.mobatia.dev.encryptpro.AES256Cipher.decrypt():


    public static String decrypt(String p4)
    {
        byte[] v4_1 = android.util.Base64.decode(p4, 0);
        String v0_4 = new javax.crypto.spec.SecretKeySpec(com.mobatia.dev.encryptpro.AES256Cipher.getRaw("sampleText", "exampleSalt"), "AES");
        String v1_1 = javax.crypto.Cipher.getInstance("AES/CBC/PKCS5Padding");
        v1_1.init(2, v0_4, new javax.crypto.spec.IvParameterSpec("8119745113154120".getBytes()));
        return new String(v1_1.doFinal(v4_1), "UTF-8");
    }

Method javax.crypto.spec.SecretKeySpec.<init>() not found.

[TAINT] String 'sampleText' ==>>> Sink '['Ljavax/crypto/spec/SecretKeySpec;', '<init>', '([B Ljava/lang/String;)V', '0', 'CRYPTO_SINK']' [[('Lcom/mobatia/dev/encryptpro/AES256Cipher;', 'encrypt', '(Ljava/lang/String;)Ljava/lang/String;'), ('Ljavax/crypto/spec/SecretKeySpec;', '<init>', '([B Ljava/lang/String;)V')]]

The application uses a hardcoded secret key 'sampleText' to encrypt the data

Method com.mobatia.dev.encryptpro.AES256Cipher.encrypt():


    public static String encrypt(String p4)
    {
        int v0_2 = new javax.crypto.spec.SecretKeySpec(com.mobatia.dev.encryptpro.AES256Cipher.getRaw("sampleText", "exampleSalt"), "AES");
        javax.crypto.Cipher v1_3 = javax.crypto.Cipher.getInstance("AES/CBC/PKCS5Padding");
        v1_3.init(1, v0_2, new javax.crypto.spec.IvParameterSpec("8119745113154120".getBytes()));
        return android.util.Base64.encodeToString(v1_3.doFinal(p4.getBytes()), 0);
    }

Method javax.crypto.spec.SecretKeySpec.<init>() not found.

[TAINT] String 'exampleSalt' ==>>> Sink '['Ljavax/crypto/spec/SecretKeySpec;', '<init>', '([B Ljava/lang/String;)V', '0', 'CRYPTO_SINK']' [[('Lcom/mobatia/dev/encryptpro/AES256Cipher;', 'encrypt', '(Ljava/lang/String;)Ljava/lang/String;'), ('Ljavax/crypto/spec/SecretKeySpec;', '<init>', '([B Ljava/lang/String;)V')]]

The application uses a hardcoded secret key 'exampleSalt' to encrypt the data

Method com.mobatia.dev.encryptpro.AES256Cipher.encrypt():


    public static String encrypt(String p4)
    {
        int v0_2 = new javax.crypto.spec.SecretKeySpec(com.mobatia.dev.encryptpro.AES256Cipher.getRaw("sampleText", "exampleSalt"), "AES");
        javax.crypto.Cipher v1_3 = javax.crypto.Cipher.getInstance("AES/CBC/PKCS5Padding");
        v1_3.init(1, v0_2, new javax.crypto.spec.IvParameterSpec("8119745113154120".getBytes()));
        return android.util.Base64.encodeToString(v1_3.doFinal(p4.getBytes()), 0);
    }

Method javax.crypto.spec.SecretKeySpec.<init>() not found.

[TAINT] String 'sampleText' ==>>> Sink '['Ljavax/crypto/spec/SecretKeySpec;', '<init>', '([B Ljava/lang/String;)V', '0', 'CRYPTO_SINK']' [[('Lcom/mobatia/dev/encryptpro/MainActivity$1;', 'onClick', '(Landroid/view/View;)V'), ('Lcom/mobatia/dev/encryptpro/AES256Cipher;', 'encrypt', '(Ljava/lang/String;)Ljava/lang/String;'), ('Ljavax/crypto/spec/SecretKeySpec;', '<init>', '([B Ljava/lang/String;)V')]]

The application uses a hardcoded secret key 'sampleText' to encrypt the data

Method com.mobatia.dev.encryptpro.MainActivity$1.onClick():


    public void onClick(android.view.View p3)
    {
        try {
            this.this$0.crypted = com.mobatia.dev.encryptpro.AES256Cipher.encrypt(this.this$0.actualTxt.getText().toString().trim());
            this.this$0.encryptTxt.setText(this.this$0.crypted);
        } catch (String v3_3) {
            v3_3.printStackTrace();
        }
        String v0_6 = new StringBuilder();
        v0_6.append("crypted: ");
        v0_6.append(this.this$0.crypted);
        android.util.Log.d("CRYPTO-TEST", v0_6.toString());
        return;
    }

Method com.mobatia.dev.encryptpro.AES256Cipher.encrypt():


    public static String encrypt(String p4)
    {
        int v0_2 = new javax.crypto.spec.SecretKeySpec(com.mobatia.dev.encryptpro.AES256Cipher.getRaw("sampleText", "exampleSalt"), "AES");
        javax.crypto.Cipher v1_3 = javax.crypto.Cipher.getInstance("AES/CBC/PKCS5Padding");
        v1_3.init(1, v0_2, new javax.crypto.spec.IvParameterSpec("8119745113154120".getBytes()));
        return android.util.Base64.encodeToString(v1_3.doFinal(p4.getBytes()), 0);
    }

Method javax.crypto.spec.SecretKeySpec.<init>() not found.

[TAINT] String 'exampleSalt' ==>>> Sink '['Ljavax/crypto/spec/SecretKeySpec;', '<init>', '([B Ljava/lang/String;)V', '0', 'CRYPTO_SINK']' [[('Lcom/mobatia/dev/encryptpro/MainActivity$1;', 'onClick', '(Landroid/view/View;)V'), ('Lcom/mobatia/dev/encryptpro/AES256Cipher;', 'encrypt', '(Ljava/lang/String;)Ljava/lang/String;'), ('Ljavax/crypto/spec/SecretKeySpec;', '<init>', '([B Ljava/lang/String;)V')]]

The application uses a hardcoded secret key 'exampleSalt' to encrypt the data

Method com.mobatia.dev.encryptpro.MainActivity$1.onClick():


    public void onClick(android.view.View p3)
    {
        try {
            this.this$0.crypted = com.mobatia.dev.encryptpro.AES256Cipher.encrypt(this.this$0.actualTxt.getText().toString().trim());
            this.this$0.encryptTxt.setText(this.this$0.crypted);
        } catch (String v3_3) {
            v3_3.printStackTrace();
        }
        String v0_6 = new StringBuilder();
        v0_6.append("crypted: ");
        v0_6.append(this.this$0.crypted);
        android.util.Log.d("CRYPTO-TEST", v0_6.toString());
        return;
    }

Method com.mobatia.dev.encryptpro.AES256Cipher.encrypt():


    public static String encrypt(String p4)
    {
        int v0_2 = new javax.crypto.spec.SecretKeySpec(com.mobatia.dev.encryptpro.AES256Cipher.getRaw("sampleText", "exampleSalt"), "AES");
        javax.crypto.Cipher v1_3 = javax.crypto.Cipher.getInstance("AES/CBC/PKCS5Padding");
        v1_3.init(1, v0_2, new javax.crypto.spec.IvParameterSpec("8119745113154120".getBytes()));
        return android.util.Base64.encodeToString(v1_3.doFinal(p4.getBytes()), 0);
    }

Method javax.crypto.spec.SecretKeySpec.<init>() not found.

[TAINT] String 'exampleSalt' ==>>> Sink '['Ljavax/crypto/spec/SecretKeySpec;', '<init>', '([B Ljava/lang/String;)V', '0', 'CRYPTO_SINK']' [[('Lcom/mobatia/dev/encryptpro/MainActivity$2;', 'onClick', '(Landroid/view/View;)V'), ('Lcom/mobatia/dev/encryptpro/AES256Cipher;', 'decrypt', '(Ljava/lang/String;)Ljava/lang/String;'), ('Ljavax/crypto/spec/SecretKeySpec;', '<init>', '([B Ljava/lang/String;)V')]]

The application uses a hardcoded secret key 'exampleSalt' to encrypt the data

Method com.mobatia.dev.encryptpro.MainActivity$2.onClick():


    public void onClick(android.view.View p3)
    {
        try {
            this.this$0.decrypted = com.mobatia.dev.encryptpro.AES256Cipher.decrypt(this.this$0.crypted);
        } catch (String v3_4) {
            v3_4.printStackTrace();
        }
        this.this$0.decryptTxt.setText(this.this$0.decrypted);
        String v0_4 = new StringBuilder();
        v0_4.append("decrypted: ");
        v0_4.append(this.this$0.decrypted);
        android.util.Log.d("CRYPTO-TEST", v0_4.toString());
        return;
    }

Method com.mobatia.dev.encryptpro.AES256Cipher.decrypt():


    public static String decrypt(String p4)
    {
        byte[] v4_1 = android.util.Base64.decode(p4, 0);
        String v0_4 = new javax.crypto.spec.SecretKeySpec(com.mobatia.dev.encryptpro.AES256Cipher.getRaw("sampleText", "exampleSalt"), "AES");
        String v1_1 = javax.crypto.Cipher.getInstance("AES/CBC/PKCS5Padding");
        v1_1.init(2, v0_4, new javax.crypto.spec.IvParameterSpec("8119745113154120".getBytes()));
        return new String(v1_1.doFinal(v4_1), "UTF-8");
    }

Method javax.crypto.spec.SecretKeySpec.<init>() not found.

[TAINT] String 'sampleText' ==>>> Sink '['Ljavax/crypto/spec/SecretKeySpec;', '<init>', '([B Ljava/lang/String;)V', '0', 'CRYPTO_SINK']' [[('Lcom/mobatia/dev/encryptpro/MainActivity$2;', 'onClick', '(Landroid/view/View;)V'), ('Lcom/mobatia/dev/encryptpro/AES256Cipher;', 'decrypt', '(Ljava/lang/String;)Ljava/lang/String;'), ('Ljavax/crypto/spec/SecretKeySpec;', '<init>', '([B Ljava/lang/String;)V')]]

The application uses a hardcoded secret key 'sampleText' to encrypt the data

Method com.mobatia.dev.encryptpro.MainActivity$2.onClick():


    public void onClick(android.view.View p3)
    {
        try {
            this.this$0.decrypted = com.mobatia.dev.encryptpro.AES256Cipher.decrypt(this.this$0.crypted);
        } catch (String v3_4) {
            v3_4.printStackTrace();
        }
        this.this$0.decryptTxt.setText(this.this$0.decrypted);
        String v0_4 = new StringBuilder();
        v0_4.append("decrypted: ");
        v0_4.append(this.this$0.decrypted);
        android.util.Log.d("CRYPTO-TEST", v0_4.toString());
        return;
    }

Method com.mobatia.dev.encryptpro.AES256Cipher.decrypt():


    public static String decrypt(String p4)
    {
        byte[] v4_1 = android.util.Base64.decode(p4, 0);
        String v0_4 = new javax.crypto.spec.SecretKeySpec(com.mobatia.dev.encryptpro.AES256Cipher.getRaw("sampleText", "exampleSalt"), "AES");
        String v1_1 = javax.crypto.Cipher.getInstance("AES/CBC/PKCS5Padding");
        v1_1.init(2, v0_4, new javax.crypto.spec.IvParameterSpec("8119745113154120".getBytes()));
        return new String(v1_1.doFinal(v4_1), "UTF-8");
    }

Method javax.crypto.spec.SecretKeySpec.<init>() not found.