(THIS CODING RULE OR GUIDELINE IS UNDER CONSTRUCTION)
The predominant Android cryptographic security provider API defaults to using an insecure AES encryption method: ECB block cipher mode for AES encryption. Android's default cryptographic security provider (since version 2.1) is BouncyCastle.
NOTE: Java also chose ECB as a default value when only the AES encryption method is chosen. So, this rule also applies to Java, but for Java's different default cryptographic security provider. Oracle Java's default cryptographic security provider is SunJCE.
Noncompliant Code Example
This noncompliant code example shows an application that ..., and hence not secure.
Compliant Solution
In this compliant solution ...
Related Guidelines
Risk Assessment
If an insecure encryption method is used, then the encryption does not assure privacy, integrity, and authentication of the data.
Rule | Severity | Likelihood | Remediation Cost | Priority | Level |
---|---|---|---|---|---|
DRD17-J | High | Likely | Medium | P18 | L1 |
Automated Detection
Automatic detection of ...
Bibliography
Egele 2013 | An Empirical Study of Cryptographic Misuse in Android Applications |