“您的应用包含不安全的密码加密模式" -如何消除此警告? [英] "Your app contains unsafe cryptographic encryption patterns" - How I can get rid of this warning?

问题描述

几天前，在Google Play控制台的"APK的预发布报告"中，它开始标记我

Few days ago, In "Pre-launch report for APK" in Google Play Console, it start to flag me

Unsafe encryption

Detected in APK ???

Your app contains unsafe cryptographic encryption patterns. Please see this Google Help Centre article for details.

Vulnerable classes:

c.j.a.s.J.b

但是，自从APK诞生之初，我就没有更改加密代码/描述代码中的任何内容.因此，我不确定Google为什么会在最近的APK上警告我?

However, since the early day of APK, I do not change anything in encryption code/ description code. Hence, I'm not sure why Google starts to warn me on recent APK?

任何想法如何解决?因此，有关易受攻击的类c.j.a.s.J.b的信息没有帮助.

Any idea how to resolve? As, the information for vulnerable classes c.j.a.s.J.b is not helpful.

我尝试使用Proguard + mapping.txt追溯c.j.a.s.J.b，但能够弄清楚那是什么类.

I try to use Proguard + mapping.txt to retrace c.j.a.s.J.b but able to figure what class is that.

您知道如何摆脱Google安全警告吗?

Any idea how I can get rid of Google security warning?

推荐答案

google播放建议使用具有函数名称的易受攻击的类，您可以在对话框中看到.

The google play suggests with vulnerable classes with the function name, you can see in the dialog.

查看您的应用程序以获取用于密码加密操作的静态计算密钥，初始化向量和/或盐，并确保安全构造这些值

Review your app for statically computed keys, initialization vectors, and/or salts that are used in cryptographic encryption operations and ensure that these values are constructed safely

例如:

public byte[] encryptionUtil(String key, String iv, byte[] plainText) {
    Cipher cipher = Cipher.getInstance("AES/GCM/NoPadding");
    SecretKeySpec keySpec = new SecretKeySpec(key.getBytes(), "AES");
    GCMParameterSpec paramSpec = new GCMParameterSpec(256, iv.getBytes());
    cipher.init(Cipher.ENCRYPT_MODE, keySpec, paramSpec);
    return cipher.doFinal(plainText);
  }

您将函数调用为:

byte[] cipherText = encryptionUtil("abcdef...", "010203040506", plainText);

此处，您的加密密钥abcdef...作为静态字符串提供.静态计算的值是在每次执行应用程序时都相同的值.可以从您的应用程序中提取静态计算的密码值，并将其用于攻击您应用程序的加密数据.

Here your encryption key "abcdef..." is provides as a static string. A statically computed value is a value that is the same on every execution of your app. Statically computed cryptographic values can be extracted from your app and used to attack your app’s encrypted data.

因此您可以使用 EncryptedSharedPreferences 存储本地数据

So you can use EncryptedSharedPreferences to store locally data

参考链接 https://developer.android.com/reference/androidx/security/crypto/EncryptedSharedPreferences

OR

Jetpack安全性

有关更多详细信息: 补救不安全密码加密

For more details: Remediation for Unsafe Cryptographic Encryption

这篇关于“您的应用包含不安全的密码加密模式" -如何消除此警告?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！