software composition analysis
Product
SAST
Catch vulnerabilities as you develop DAST
Test live web applications like an attacker SCA
Secure open-source and supply chain MAST
Secure mobile apps from code to store Compliance
Align with standards while shipping secure code
Resources
Vulnerability database Healthy Package
Blog News
Documentation
Pricing Partners About Us Log In
software composition analysis

Android : Insufficient encryption key length

Classification

OWASP Top 10 2013 A6-Sensitive Data Exposure OWASP Top 10 2017 A3-Sensitive Data Exposure OWASP Top 10 2021 A2-Cryptographic Failures A4-Insecure Design OWASP MASVS V8: 8.13.(L1+R/L2+R) OWASP ASVS Stored Cryptography Stored Cryptography Stored Cryptography Authentication PCI DSS 4.0 3.6.1 6.2.4 8.3.2 HIPAA §164.312 (a)(2)(iv) CWE CWE-326 CWE-1032

Overview

Short encryption key is used. Encryption is vulnerable to brute force attacks.

Due to constant development of new attack methods and increase in hardware performance, previously considered safe algorithms become obsolete. For example, 1024 bit RSA is considered insecure starting 2010 - 2015 (in various sources) and is no longer recommended to use.

In order to protect valuable data, use well tested implementations of standard encryption algorithms with sufficiently long keys.

Sensitive Data Exposure vulnerabilities take the third place in the “OWASP Top 10 2017” web-application vulnerabilities ranking.

References

  1. OWASP Top 10 2013-A6-Sensitive Data Exposure
  2. Cryptographic Key Length Recommendation
  3. OWASP Top 10 2017-A3-Sensitive Data Exposure
  4. CWE CATEGORY: OWASP Top Ten 2017 Category A6 - Security Misconfiguration
  5. CWE-326

See also

Android : Hardcoded encryption key
Android : Unreleased resource stream
Android : Undocumented feature: special account