(THIS CODING RULE OR GUIDELINE IS UNDER CONSTRUCTION)

The predominant Android cryptographic security provider API defaults to using an insecure AES encryption method: ECB block cipher mode for AES encryption. Android's default cryptographic security provider (since version 2.1) is BouncyCastle. 

NOTE: Java also chose ECB as a default value when only the AES encryption method is chosen. So, this rule also applies to Java, but for Java's different default cryptographic security provider. Oracle Java's default cryptographic security provider is SunJCE.

Noncompliant Code Example

This noncompliant code example shows an application that ..., and hence not secure.

 

 

Compliant Solution

In this compliant solution ...

 

Related Guidelines

Risk Assessment

If an insecure encryption method is used, then the encryption does not assure privacy, integrity, and authentication of the data.

Rule

Severity

Likelihood

Remediation Cost

Priority

Level

DRD17-J

High

Likely

Medium

P18

L1

Automated Detection

Automatic detection of ...

Bibliography

 Egele 2013An Empirical Study of Cryptographic Misuse in Android Applications