The App uses ECB mode in Cryptographic encryption algorithm.

objectivec.cryptography.ios_aes_ecb

Severity

critical

Resource

Cryptography

Language

Objective-C

Description

The App uses ECB mode in Cryptographic encryption algorithm. ECB mode is known to be weak as it results in the same ciphertext for identical blocks of plaintext.

Rationale

The App uses ECB mode in Cryptographic encryption algorithm. ECB mode is known to be weak as it results in the same ciphertext for identical blocks of plaintext.

The following code illustrates a vulnerable pattern detected by this rule:

void *buffer = malloc(bufferSize);
size_t numBytesEncrypted = 0;

// VULNERABLE: The App uses ECB mode in Cryptographic encryption algorithm.
CCCryptorStatus status = CCCrypt(kCCEncrypt,
                                  kCCAlgorithmAES,
                                  kCCOptionECBMode,
                                  key.bytes,
                                  key.length,
                                  NULL,
                                  data.bytes,
                                  data.length,
                                  buffer,
                                  bufferSize,
                                  &numBytesEncrypted);

if (status == kCCSuccess) {
    return [NSData dataWithBytesNoCopy:buffer length:numBytesEncrypted];
}

Remediation

Follow secure coding practices and review the references below for detailed remediation guidance.

Configuration

This detector does not need any configuration.

The App uses ECB mode in Cryptographic encryption algorithm.

Description

Rationale

Remediation

Configuration

References