Reputation: 121
Your app contains unsafe cryptographic encryption patterns
I couldn't update my app because the Google Play Store gave me this error;
Your app contains unsafe cryptographic encryption patterns.
com.boomset.mobile.utils.t0->b
And the app doesn't have an encryption method in this file.
Any Idea in this case?
EDIT 2
I removed my Utils file content from here. Because it was not related to Google Play's rejection.
I have a package that name is Utils and it has a file that do encryption. Here is my Encryptor file.
Play Store gives me a link to solve this problem but I don't clearly understand it.
Thanks
public class Encryptor {
private static final String TRANSFORMATION = "AES/CBC/PKCS5PADDING";
private static final String initVector = "<our-vektor-key>"; // 16 bytes IV
public static String encrypt(String value) {
try {
IvParameterSpec iv = new IvParameterSpec(initVector.getBytes("UTF-8"));
byte[] key = Arrays.copyOfRange(AppPrefs.getEncryptionKey(), 0, 16);
SecretKeySpec skeySpec = new SecretKeySpec(key, "AES");
Cipher cipher = Cipher.getInstance(TRANSFORMATION);
cipher.init(Cipher.ENCRYPT_MODE, skeySpec, iv);
byte[] encrypted = cipher.doFinal(value.getBytes());
return Base64.encodeToString(encrypted, Base64.NO_WRAP);
} catch (Exception ex) {
ex.printStackTrace();
}
return null;
}
public static String decrypt(String encrypted) {
try {
IvParameterSpec iv = new IvParameterSpec(initVector.getBytes("UTF-8"));
byte[] key = Arrays.copyOfRange(AppPrefs.getEncryptionKey(), 0, 16);
SecretKeySpec skeySpec = new SecretKeySpec(key, "AES");
Cipher cipher = Cipher.getInstance(TRANSFORMATION);
cipher.init(Cipher.DECRYPT_MODE, skeySpec, iv);
byte[] original = cipher.doFinal(Base64.decode(encrypted, Base64.NO_WRAP));
return new String(original);
} catch (Exception ex) {
ex.printStackTrace();
}
return "";
}
}
Upvotes: 0
Views: 740
Answers (2)
Reputation: 17437
It looks like your issue is using a static computed value for your init vector.
See https://support.google.com/faqs/answer/9450925 for the full explanation:
A statically computed value is a value that is the same on every execution of your app. Statically computed cryptographic values can be extracted from your app and used to attack your app’s encrypted data. Even if you manipulate keys, initialization vectors, and salts in complex ways prior to use, they remain unsafe if these manipulations are the same for every program execution.
Some of the recommended alternatives are listed as well, in particular:
We recommend that you utilize Jetpack Security for symmetric cryptography. If your app encrypts API keys, personally identifiable information (PII), or other sensitive data, EncryptedSharedPreferences can be used to securely store this data without worrying about the implementation of secret keys, initialization vectors, and salts.
Upvotes: 0
Reputation: 9173
I think this problem is related to this support post. I personally didn't know about this change though. It seems you cannot use static keys anymore like yours.
Upvotes: 1
Related Questions
- You uploaded an APK or Android App Bundle that is signed with an upload certificate that is not yet valid because it has been recently reset
- Action Required: Your app is not compliant with Google Play Policies. Issue found: Invalid Data safety form. What is the solution?
- Google Play Console: 'Your app signing key's encryption strength does not meet Google Play's recommended minimum standard'
- Android google play console error APK TRANSMIT USER DATA UNSECURELY
- Your app is vulnerable to Intent Redirection
- Unsafe Cryptographic Encryption error in Android
- "Your app contains unsafe cryptographic encryption patterns" - How I can get rid of this warning?
- Your app contains embedded private keys or keystore files org/bouncycastle/openssl/test/data/dsa/openssl_dsa_aes128_cbc.pem
- Android Crash in PlayStore Console
- Security Alert: Your app contains embedded private keys or keystore files