保護DataHogo
Security Encyclopedia/OWASP Mobile Top 10
mediumCWE-327M10:2024

Insufficient Cryptography

Mobile app uses weak encryption algorithms, hardcoded keys, or implements custom cryptography — making encrypted data effectively unprotected.

How It Works

Insufficient cryptography in mobile apps includes using deprecated algorithms (DES, MD5, SHA1), hardcoding encryption keys in the source code (easily extracted by decompilation), using ECB mode, static IVs, or rolling your own crypto. Even if data is encrypted, using weak crypto is equivalent to no encryption because attackers can break it quickly. Hardcoded keys are the most common issue — the key is right there in the decompiled code.

Vulnerable Code
// Hardcoded key + weak algorithm
const key = 'mySecretKey12345';
const cipher = crypto.createCipher('des', key);
let encrypted = cipher.update(data, 'utf8', 'hex');
encrypted += cipher.final('hex');
Secure Code
// Secure: AES-256-GCM with random key from Keystore
import { generateSecureRandom } from 'react-native-securerandom';
const iv = await generateSecureRandom(16);
const cipher = crypto.createCipheriv('aes-256-gcm', keyFromKeystore, iv);

Real-World Example

In 2016, researchers found that the Ashley Madison mobile app encrypted data with a hardcoded key that was identical across all installations. After the breach, all 'encrypted' data was trivially decryptable.

How to Prevent It

  • Use AES-256-GCM for symmetric encryption
  • Store encryption keys in the platform Keystore/Keychain, never hardcode
  • Use secure random number generators for IVs and nonces
  • Never implement custom cryptographic algorithms

Affected Technologies

MobileReact NativeFlutter

Data Hogo detects this vulnerability automatically.

Scan Your Repo Free

Related Vulnerabilities

Improper Credential Usage

critical

Hardcoded API keys, passwords, or tokens directly in mobile app source code — easily extracted by decompiling the app bundle.

CWE-798M1:2024

Mobile Supply Chain Security

medium

Vulnerable SDKs, outdated native libraries, or compromised third-party modules in your mobile app introduce security risks from your dependencies.

CWE-1395M2:2024

Insecure Authentication/Authorization

high

Mobile apps with weak authentication — storing sessions insecurely, missing token refresh, or authorization checks only on the client side.

CWE-287M3:2024

Insufficient Input/Output Validation

medium

Mobile apps that don't validate user input or sanitize output are vulnerable to injection attacks, data corruption, and unexpected behavior.

CWE-20M4:2024