Weak Encryption Algorithms

Description

Using deprecated ciphers (DES/3DES/RC4) or insecure modes (AES‑ECB) exposes data to recovery via brute force or structural analysis. Custom crypto wrappers often mishandle IVs/nonces and omit authentication, enabling forgery.

Examples

Identify Insecure Modes in Code

jadx -r -d out app-release.apk
rg -n "AES/ECB|DES|RC4|NoPadding|getInstance\(" out

If code uses Cipher.getInstance("AES/ECB/PKCS5Padding"), patterns are vulnerable to block rearrangement and leakage.

Downgrade to Legacy Suites (Server)

Detect acceptance of weak TLS ciphers:

openssl s_client -connect api.example.com:443 -tls1_0 -cipher RC4-SHA

Successful handshakes indicate legacy support.

Remediation

1. Use modern AEAD
   • Prefer AES‑GCM or ChaCha20‑Poly1305 via platform crypto APIs; include authentication.
2. Implement crypto agility
   • Version payloads and rotate keys; deprecate weak algorithms without breaking older clients.
3. Enforce strong TLS
   • Disable legacy protocol versions and cipher suites; monitor for deprecated usage in telemetry and code reviews.