Google Play Store identifies unsafe encryption in the class SimpleAeadCipher
Issue #200
closed
The Google Play Console has identified a security and trust issue, which identifies the issue as being unsafe encryption in the class SimpleAeadCipher
jose4j version 0.7.12
Comments (5)
-
repo owner
-
repo owner
https://bitbucket.org/b_c/jose4j/commits/f8bab87238d3e09a736410dd6df48521bdcdbb86 Google Play Console warns of unsafe encryption in SimpleAeadCipher due to a static key/iv used in a test encryption operation to check for algorithm availably. Hopefully remediate by using random values instead.
-
repo owner
- changed status to resolved
hopefully that'll do it
-
repo owner
- changed status to closed
v0.9.2 is out and should fix this. I don’t use Google Play Console so don’t have an easy way to confirm. I would very much appreciate if you could comment here and let me know.
-
reporter
Hi,
Thanks for your reply and quick solution,
We have run Veracode with our security team and it looks like it has been solved - Log in to comment
It seems this is likely due to the use of a static key and IV in SimpleAeadCipher. They are only being used to do a test encryption operation to check for algorithm availably so it’s not actually unsafe in practice. But I think/hope using random values instead will keep Google Play Console from raising concerns.
https://bitbucket.org/b_c/jose4j/src/260e3af364ee7f1b0172e37d3ca5814616110c68/src/main/java/org/jose4j/jwe/SimpleAeadCipher.java#lines-131 is what I suspect is the source of the complaint.