Cryptographic API misuse detected

[anam-dodhy]

Hi, I am currently looking into projects on github which are parametrically misusing cryptographic APIs for my research and I came across a few instances in your project where I found such misuses. These misuses have been highlighted in research papers such as

• CDRep: Automatic Repair of Cryptographic Misuses in Android Applications

In your source code file AESUtils.java there are two functions encrypt(String, String) and decrypt(String, String). Following issues have been found in these two functions:

• In function encrypt(String, String) At line 27

SecretKeySpec skeySpec = new SecretKeySpec(key.getBytes("UTF-8"), "AES");

and at line 26

IvParameterSpec iv = new IvParameterSpec(INIT_VECTOR.getBytes("UTF-8"));

First parameters were not properly randomized in both cases. They should be randomized using java.security.SecureRandom class. And these ill prepared skeySpec and iv are later passed on as paramters in line 30 which results in another misuse.

• In function decrypt(String, String) same issues as explained above are found at line 49, 50 and 53.

• In another file PasswordProvider.java at line 42

MessageDigest md = MessageDigest.getInstance("MD5");

First parameter (with value "MD5") should be any of {SHA-256, SHA-384, SHA-512} as MD5 is widely known to be an insecure algorithm now.

I believe fixing these issues would help your product be more secure.