Use of RSA Algorithm without OAEP - Android - Vulnerability
subukamath opened this issue · comments
We use this library in our android app. A Veracode Vulnerability scan reported the below issue in this library.
http://cwe.mitre.org/data/definitions/780.html
CWE-780: Use of RSA Algorithm without OAEP
The software uses the RSA algorithm but does not incorporate Optimal Asymmetric Encryption Padding (OAEP), which might weaken the encryption.
File - AbstractRSA.java
private Cipher getCipher() {
try {
return Cipher.getInstance("RSA/ECB/PKCS1Padding");
} catch (Exception e) {
return null;
}
}
I ran into this issue as well. I made a fix that updates to OAEPPadding:
14ca6a5, but the caveat is that this will cause problems for Android < 23 as per https://developer.android.com/training/articles/keystore#SupportedCiphers. Some work is needed to make sure it keeps working on those lower APIs, but then again, it will probably still trigger the Vulnerability scan if you would do that.