The predominant Android cryptographic security provider API defaults to using an insecure AES encryption method: ECB block cipher mode for AES encryption. Android's default cryptographic security provider (since version 2.1) is BouncyCastle.
NOTE: Java also chose ECB as a default value when only the AES encryption method is chosen. So, this rule also applies to Java, but for Java's different default cryptographic security provider. Oracle Java's default cryptographic security provider is SunJCE.
This noncompliant code example shows an application that ..., and hence not secure.
In this compliant solution ...
If an insecure encryption method is used, then the encryption does not assure privacy, integrity, and authentication of the data.
Rule | Severity | Likelihood | Remediation Cost | Priority | Level |
---|---|---|---|---|---|
DRD17-J | High | Likely | Medium | P18 | L1 |
Automatic detection of ...
Egele 2013 | An Empirical Study of Cryptographic Misuse in Android Applications |