I am not sure where this comes from but I think it might be related to push notifications? maybe you could check the security behavior in a newer mendix version as well?
https://github.com/mendix/MxPushNotifications/blob/master/test/javasource/encryption/actions/EncryptString.java at least here it looks like this changed between releases. Git History shows that it was eg.
Cipher c = Cipher.getInstance("AES/CBC/PKCS5PADDING");
mid 2016
interesting topic anyways. Maybe you should file a support ticket and request for information there as well