Security risk mobile app

1
Dear Reader, I build a mobile app using phonegap and ran it trough the Mobile App Security Test from ImmuniWeb. One of the risks that was identified is: Description:Weak or badly implemented encryption algorithms can endanger data storage and transmission used by the mobile application. Example of insecure code: Cipher c = Cipher.getInstance("AES/ECB/NoPadding"); c.init(Cipher.ENCRYPT_MODE, k, iv); byte[] cipherText = c.doFinal(plainText); Example of secure code: Cipher c = Cipher.getInstance("AES/GCM/NoPadding"); c.init(Cipher.ENCRYPT_MODE, k, iv); byte[] cipherText = c.doFinal(plainText); Details:There is 'RSA/ECB/PKCS1Padding' found in file 'com/crypho/plugins/RSA.java': line 81: try { line 82: return Cipher.getInstance("RSA/ECB/PKCS1Padding"); line 83: } catch (Exception e) { CVSSv3 Base Score: 4.4 (AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N)   Is there a way to solve this issue? Thanks in advanced, Peter
asked
1 answers
0

I am not sure where this comes from but I think it might be related to push notifications? maybe you could check the security behavior in a newer mendix version as well?

https://github.com/mendix/MxPushNotifications/blob/master/test/javasource/encryption/actions/EncryptString.java at least here it looks like this changed between releases. Git History shows that it was eg.

		Cipher c = Cipher.getInstance("AES/CBC/PKCS5PADDING");

  mid 2016

 

interesting topic anyways. Maybe you should file a support ticket and request for information there as well

answered