Cryptographic API misuse detected

[anam-dodhy]

Hi, I am currently looking into projects on github which are parametrically misusing cryptographic APIs for my research and I came across a few instances in your project where I found such misuses. These misuses have been highlighted in research papers such as

• CDRep: Automatic Repair of Cryptographic Misuses in Android Applications

In your source code file DesEncrypter.java there is a function "DesEncrypter(String, byte[])" and at line 44:

KeySpec keySpec = new PBEKeySpec(passPhrase.toCharArray(), salt, iterationCount);

where the iterationCount defined is 17 which is not the recommended value i.e. 1000

In another file AES.java there are two functions encrypt(byte[], string) and decrypt(byte[], string) with following misuses at line 34 and 49:

Cipher cipher = Cipher.getInstance(AES);

First parameter (with value "AES") should be any of AES/{CBC, GCM, PCBC, CTR, CTS, CFB, OFB}

In another file MD5Util.java there are two functions encrypt(byte[], string) and decrypt(byte[], string) with following misuses at line 50:

MessageDigest md = MessageDigest.getInstance("MD5");

First parameter (with value "MD5") should be any of {SHA-256, SHA-384, SHA-512}

I believe fixing these issues would help your product be more secure.

[jwpttcg66]

thank you for your help.