Google Play reporting "Unsafe cipher mode" for StorageHelper.java
See original GitHub issueIssue
Our android app is receiving this error in our Google Play pre-launch report :
Your app contains a less secure encryption mode:
* com.microsoft.identity.common.adal.internal.cache.StorageHelper->getKeyThumbPrint
Proposed Solution
To resolved the error. The report suggests changing from existing cyber algorithm from:
private static final String CIPHER_ALGORITHM_FOR_KEY_TRACKING = "AES/ECB/PKCS5Padding";
to
private static final String CIPHER_ALGORITHM_FOR_KEY_TRACKING = "AES/GCM/NoPadding";
as described in this linked faq
Affected Lib Versions
We have been getting the same error for apps using MSAL releases 2.2.1 and 2.1.0.
Issue Analytics
- State:
- Created 2 years ago
- Reactions:2
- Comments:7 (2 by maintainers)
Top Results From Across the Web
Unsafe Cipher Mode warning in Google Play pre-launch report
When uploading our app to Google Play, Google complaints about "Unsafe Cipher Mode" in "Pre-launch report", referencing this ...
Read more >Remediation for Unsafe Cryptographic Encryption - Google Help
This information is intended for developers with app(s) that contain unsafe cryptographic encryption patterns. That is, a ciphertext is generated with a ...
Read more >Diff - platform/platform_testing - Google Git
ElementType; +import java.lang.annotation. ... + * + * This method will select the first clip to open and play. ... Notification; +import android.app....
Read more >Analysis Report authenticator-6-2102-0762.apk - Joe Sandbox
Performs DNS lookups (Java API). Potential date aware sample found. Queries a list of installed applications. Queries camera information.
Read more >SENSOR MONITOR FOR ANDROID A Project - ScholarWorks
report and provide valuable suggestions and feedback. ... Software Development Kit and Google Play Services. ... Languages: Java and Python.
Read more >Top Related Medium Post
No results found
Top Related StackOverflow Question
No results found
Troubleshoot Live Code
Lightrun enables developers to add logs, metrics and snapshots to live code - no restarts or redeploys required.
Start FreeTop Related Reddit Thread
No results found
Top Related Hackernoon Post
No results found
Top Related Tweet
No results found
Top Related Dev.to Post
No results found
Top Related Hashnode Post
No results found
Top GitHub Comments
Just commenting that the issue is still present in version 2.2.2. I’m receiving this warning as well.
This is mostly a spurious warning, and it is unfortunate that it is being applied in this manner. The cipher mode in question isn’t actually being used for encryption, but as a seed to a hash function for the purpose of tracking when users reset keys using deprecated apis. I think we’re removing this completely in the next release in favor of a different mechanism.