Android : Insufficient encryption key length
Classification
OWASP Top 10 2013 A6-Sensitive Data Exposure OWASP Top 10 2017 A3-Sensitive Data Exposure OWASP Top 10 2021 A2-Cryptographic Failures A4-Insecure Design OWASP MASVS V8: 8.13.(L1+R/L2+R) OWASP ASVS Stored Cryptography Stored Cryptography Stored Cryptography Authentication PCI DSS 4.0 3.6.1 6.2.4 8.3.2 HIPAA §164.312 (a)(2)(iv) CWE CWE-326 CWE-1032Overview
Short encryption key is used. Encryption is vulnerable to brute force attacks.
Due to constant development of new attack methods and increase in hardware performance, previously considered safe algorithms become obsolete. For example, 1024 bit RSA is considered insecure starting 2010 - 2015 (in various sources) and is no longer recommended to use.
In order to protect valuable data, use well tested implementations of standard encryption algorithms with sufficiently long keys.
Sensitive Data Exposure vulnerabilities take the third place in the “OWASP Top 10 2017” web-application vulnerabilities ranking.