PTKDMobile App Security
Knowledge base / PTKD-CRYPTO-WEAK
medium M10 MASVS-CRYPTO-1 static analysis PTKD-CRYPTO-WEAK

Weak cryptographic primitive

A weak or broken cryptographic algorithm or mode is referenced in the code.

How it's exploited

ECB mode leaks structure (identical plaintext blocks produce identical ciphertext), MD5/SHA-1 allow collisions, and DES/RC4 fall to brute force. Data "encrypted" this way is routinely recovered offline.

Why it matters

Encrypted-at-rest promises quietly fail: stolen databases or backups are decryptable, and integrity checks can be forged.

How to fix it

  1. Use AES-256-GCM (or ChaCha20-Poly1305) for encryption and SHA-256+ for hashing; never ECB.
  2. On Android use Jetpack Security / Keystore; on iOS use CryptoKit and the Keychain, so keys never live in code.
  3. Migrate existing data on next write and delete the legacy-cipher path once the fleet has rolled.
Android: authenticated encryption
val cipher = Cipher.getInstance("AES/GCM/NoPadding")
// key from AndroidKeyStore, never from a hardcoded string

References