[security issue]: Android implementation use AES/ECB mode to encrypt/decrypt saved data

[jpstotz]

The Android implementation defines

react-native-mmkv-storage/android/src/main/java/com/ammarahmed/mmkv/Constants.java

Line 11 in 5c653b7

public static final String AES_ALGORITHM = "AES/ECB/PKCS5Padding";

and uses it for encryption/decryption of data:

react-native-mmkv-storage/android/src/main/java/com/ammarahmed/mmkv/SecureKeystore.java

Lines 235 to 239 in 5c653b7

	private byte[] encryptAesPlainText(SecretKey secretKey, String plainText) throws GeneralSecurityException, IOException {
	Cipher cipher = Cipher.getInstance(Constants.AES_ALGORITHM);
	cipher.init(Cipher.ENCRYPT_MODE, secretKey);
	return encryptCipherText(cipher, plainText);
	}

encryptAesPlainText is used through setCipherText and setSecureKey to encrypt the data provided in the react native code. Therefore from my perspective it seems like all data saved on Android using this library is encrypted using AES/ECB/PKCS5Padding.

As pointed out in several CVEs "The use of the ECB operation mode can put the confidentiality of specific information at risk, even in an encrypted form."

Expected behavior

According to the README AES-CFB is used but I don't see any AES-CFB usage in the Android implementation.

react-native-mmkv-storage/README.md

Line 140 in 5c653b7

The library supports full encryption (AES CFB-128) on Android and iOS. You can choose to store your encryption key securely for continuious usage. The library uses Keychain on iOS and Android Keystore on android (API 23 and above). Encrypting an instance is simple:

Platform Information:

• OS: Android
• Library Version latest (GIT master branch)

Note: Implementations for other platforms have not been checked for ECB usage.