(THIS CODING RULE OR GUIDELINE IS UNDER CONSTRUCTION)
The predominant Android cryptographic security provider API defaults to using an insecure AES encryption method: ECB block cipher mode for AES encryption. Android's default cryptographic security provider (since version 2.1) is BouncyCastle.
NOTE: Java also chose ECB as a default value when only the AES encryption method is chosen. So, this rule also applies to Java, but for Java's different default cryptographic security provider. Oracle Java's default cryptographic security provider is SunJCE.
Noncompliant Code Example
This noncompliant code example shows an application that ..., and hence not secure.
In this compliant solution ..
DRD18-J. Do not use the default behavior in a cryptographic library if it does not use recommended practices
If an insecure encryption method is used, then the encryption does not assure privacy, integrity, and authentication of the data.
Automatic detection of ...
|Egele 2013||An Empirical Study of Cryptographic Misuse in Android Applications|