12

Few days ago, In "Pre-launch report for APK" in Google Play Console, it start to flag me

Unsafe encryption

Detected in APK ???

Your app contains unsafe cryptographic encryption patterns. Please see this Google Help Centre article for details.

Vulnerable classes:

c.j.a.s.J.b

enter image description here

However, since the early day of APK, I do not change anything in encryption code/ description code. Hence, I'm not sure why Google starts to warn me on recent APK?

Any idea how to resolve? As, the information for vulnerable classes c.j.a.s.J.b is not helpful.

I try to use Proguard + mapping.txt to retrace c.j.a.s.J.b but able to figure what class is that.

Any idea how I can get rid of Google security warning?

Cheok Yan Cheng
  • 47,586
  • 132
  • 466
  • 875
  • Did you find any solution.? – Hemil Kumbhani Sep 20 '19 at 06:40
  • Not really. I did not find any solution. – Cheok Yan Cheng Sep 20 '19 at 17:25
  • Is there a class in the resources with each part of the fully qualifying name starting with letters **c** then **j** then **a** and so on? For example: `com.java.android.sample.Java...`? – Boris Sep 24 '19 at 11:39
  • Try to find the class that uses crypto like this question [https://stackoverflow.com/questions/58026804/unsafe-cryptographic-encryption-patterns-how-to-solve-it](https://stackoverflow.com/questions/58026804/unsafe-cryptographic-encryption-patterns-how-to-solve-it), you will see that the KEY is unsafe cryptographic encryption. I resolved it by use Android NDK Native. – Holi Boom Oct 03 '19 at 03:23
  • 1
    I had the same issue and I didn't used any static key for encryption but the method was static and I changed it to normal class level method and it solved the issue – AbuMaaiz Nov 27 '19 at 05:42
  • @m.ka this one is I need to try – Jinson Paul May 18 '20 at 11:06
  • @JinsonPaul, the thing I tried worked for some time but after that the issue appeared again, then I changed the code to Kotlin, again issue not appeared for some time but later it came and I still have this issue. When I contacted Google support team they said the issue showing doesn't violate any google play policy, they are only letting know us that our app is vulnerable to attack, so I stopped spending time on the issue – AbuMaaiz May 18 '20 at 11:23
  • @m.ka First I thought it was because of the static key stored in App, then I changed to a config file but, the issue is still there. Any way may code base is in Java. I changed the static function and need to give it a shot – Jinson Paul May 18 '20 at 11:27
  • Finally I was able to solve my issue, regarding my code issue was in the initialization vector which was not random, I changed it to random since then this issue not popped up. Its been around a month since I publish the version to playstore with this update, no warnings so far, hope it got resolved – AbuMaaiz Sep 15 '20 at 11:15

2 Answers2

3

The google play suggests with vulnerable classes with the function name, you can see in the dialog.

Review your app for statically computed keys, initialization vectors, and/or salts that are used in cryptographic encryption operations and ensure that these values are constructed safely

For example :

public byte[] encryptionUtil(String key, String iv, byte[] plainText) {
    Cipher cipher = Cipher.getInstance(“AES/GCM/NoPadding”);
    SecretKeySpec keySpec = new SecretKeySpec(key.getBytes(), “AES”);
    GCMParameterSpec paramSpec = new GCMParameterSpec(256, iv.getBytes());
    cipher.init(Cipher.ENCRYPT_MODE, keySpec, paramSpec);
    return cipher.doFinal(plainText);
  }

And you are calling a function as:

byte[] cipherText = encryptionUtil(“abcdef...”, “010203040506”, plainText);

Here your encryption key “abcdef...” is provides as a static string. A statically computed value is a value that is the same on every execution of your app. Statically computed cryptographic values can be extracted from your app and used to attack your app’s encrypted data.

So you can use EncryptedSharedPreferences to store locally data

Reference link https://developer.android.com/reference/androidx/security/crypto/EncryptedSharedPreferences

OR

Jetpack Security

For more details: Remediation for Unsafe Cryptographic Encryption

Vikram Kodag
  • 485
  • 5
  • 6
0

I think you are using some encryption/decryption code with statically stored key. A statically computed value is a value that is the same on every execution of your app. Statically computed cryptographic values can be extracted from your app and used to attack your app’s encrypted data. So Google give this warning to change that stored key with dynamically generated key. For that you can generate different key on every launch. To solve this problem generate dynamic encryption/decryption key on every launch. For that you can find more info here https://developer.android.com/jetpack/androidx/releases/security

Mahesh
  • 42
  • 2
  • 2
    What if you need to decrypt some data that was previously encrypted with a former key? – Roman Samoilenko Sep 19 '19 at 05:36
  • For that you can use asymmetric cryptography. which encrypt data with different private key and on other end decrypt data with public key. This [link](https://searchsecurity.techtarget.com/definition/asymmetric-cryptography) may help you. – Mahesh Sep 19 '19 at 06:49
  • 2
    How is it possible to have a single public key that can decrypt a message encrypted with a different private key? Aren't the keys generated as a standalone pair? – Roman Samoilenko Sep 19 '19 at 11:20
  • I think, it's not related to original asked questions. Plz ask separate question. but you can get your questions answer from [here](https://ssd.eff.org/en/module/deep-dive-end-end-encryption-how-do-public-key-encryption-systems-work). – Mahesh Sep 23 '19 at 07:39