Enhancement #22348
[3.9.16][MIB][Android][MIB-4] Use of ECB Mode for AES Encryption and SHA-1 for Hashing
| Status: | New | Start date: | 18 August 2025 | |
|---|---|---|---|---|
| Priority: | Normal | Due date: | ||
| Assignee: | Abdul Halim Baharom | % Done: | 0% | |
| Category: | - | Spent time: | - | |
| Target version: | - |
Description
Finding Summary: Several instances of insecure cryptographic practices were found for encryption and hashing.
The code uses AES encryption with Electronic Codebook (ECB) mode, as demonstrated in the method a(byte[] bArr, byte[] bArr2) and b(byte[] bArr, byte[] bArr2) in the file com/ecosystem/mobility/silverlake/slmobilesdk/security/SLCryptoAES.class:
Cipher cipher = Cipher.getInstance("AES/ECB/PKCS7Padding");
ECB is the simplest mode of AES encryption but is considered insecure because it encrypts identical plaintext blocks into identical ciphertext blocks. This lack of diffusion makes it susceptible to certain attacks, such as pattern analysis. An attacker can detect repetitive structures in encrypted data, potentially leaking sensitive information.
The method generateDoubleSHAWithSecretKey in the file com/ecosystem/mobility/silverlake/slmobilesdk/security/cryptograhy/SLCryptography.class uses SHA-1 for hashing, as shown in the following code:
String str4 = new String(Base64.encode(MessageDigest.getInstance("SHA-256").digest((str + new String(Base64.encode(MessageDigest.getInstance("SHA-1").digest(str2.getBytes()), 2))).getBytes()), 2));
SHA-1 is considered cryptographically broken and unsuitable for secure hashing because it is vulnerable to collision attacks. These collisions allow attackers to generate two different inputs that hash to the same output, leading to potential security breaches, such as forgery or data manipulation.