A weak or broken cryptographic algorithm or mode is referenced in the code.
How it's exploited
ECB mode leaks structure (identical plaintext blocks produce identical ciphertext), MD5/SHA-1 allow collisions, and DES/RC4 fall to brute force. Data "encrypted" this way is routinely recovered offline.
Why it matters
Encrypted-at-rest promises quietly fail: stolen databases or backups are decryptable, and integrity checks can be forged.
How to fix it
Use AES-256-GCM (or ChaCha20-Poly1305) for encryption and SHA-256+ for hashing; never ECB.
On Android use Jetpack Security / Keystore; on iOS use CryptoKit and the Keychain, so keys never live in code.
Migrate existing data on next write and delete the legacy-cipher path once the fleet has rolled.
Android: authenticated encryption
val cipher = Cipher.getInstance("AES/GCM/NoPadding")
// key from AndroidKeyStore, never from a hardcoded string