درحال‌حاضر صفحه درخواستی به زبان شما دردسترس نیست. می‌توانید زبان دیگری را در انتهای صفحه انتخاب کنید یا بااستفاده از ویژگی ترجمه داخلی Google Chrome هر صفحه وبی را فوراً به زبان انتخابی‌تان ترجمه کنید.

Remediation for Unsafe Encryption Mode Usage

This information is intended for developers with app(s) that contain encryption employing the less secure mode AES/ECB. Encrypting content using this weak mode can lead to weak ciphertexts, and potentially put user data at risk. Location(s) of the less secure encryption modes in your app can be found in the Play Console notification for your app. If a location ends with “(in dynamically loaded code)” then the location is in code dynamically loaded by the app or by libraries used by the app. Applications typically use dynamically loaded code through on-demand feature delivery, though other unrecommended techniques exist (some unrecommended techniques also violate the Google Play policy and should not be used). Additionally, packers can transform application code into dynamically loaded code.

How to fix “Unsafe Cryptographic Encryption Mode” alerts

Review your app for the location where a Cipher is instantiated. The following configuration modes will imply the usage of insecure AES/ECB: 

  • "AES"
  • "AES/ECB/NoPadding"
  • "AES/ECB/PKCS5Padding"
  • "AES/ECB/ISO10126Padding"

For example the following code uses AES/ECB mode by default because "AES" was provided: 

// Console alert refers to this method
 public byte[] encryptionUtil(String key, String iv, byte[] plainText) {
    Cipher cipher = Cipher.getInstance(“AES”); 
// Employs AES/ECB mode by default
    SecretKeySpec keySpec = new SecretKeySpec(key.getBytes(), “AES”);
    cipher.init(Cipher.ENCRYPT_MODE, keySpec, paramSpec);
    cipher.init(Cipher.ENCRYPT_MODE, keySpec, paramSpec);

    return cipher.doFinal(plainText);

 }

Google recommends that developers use “AES/GCM/NoPadding” instead of the aforementioned insecure mode.

Next steps

  1. Update your app using the steps highlighted above.
  2. Sign in to your Play Console and submit an updated version of your app.

During this time your new app or app update will be in a pending publication status until your request is reviewed. If the app has not been updated correctly, you will still see the warning.

We’re here to help

If you have technical questions about the vulnerability, you can post to Stack Overflow and use the tag “android-security.”


 

Was this helpful?

How can we improve it?
false
Main menu
5338018159721496491
true
Search Help Center
true
true
true
true
true
5016068
false
false