IBM Support

PH03280: MOBILEFIRST ANDROID SDK USES AES ENCRYPTION WITH DEFAULT MODE

Subscribe to this APAR

By subscribing, you receive periodic emails alerting you to the status of the APAR, along with a link to the fix after it becomes available. You can track this item individually or track all items by product.

Notify me when this APAR changes.

Notify me when an APAR for this component changes.

 

APAR status

  • Closed as program error.

Error description

  • Product components impacted: Security
    Mobile Devices Operating Systems impacted: Android
    User roles impacted: Developer
    Distribution: Fix Central, DevCenter, Maven, npm
    Versions affected: 8.0
    
    The MobileFirst SDK for Android and Cordova uses the Advance
    Encryption Standard algorithm in the default mode (ECB). This is
    reported in vulnerability assessments of mobile apps built using
    the MobileFirst SDK as not being a strong algorithm.
    The AES  algorithm should be used with CBC or stronger mode.
    

Local fix

Problem summary

  • ****************************************************************
    * USERS AFFECTED:                                              *
    * Developers of MobileFirst apps on Android or Cordova         *
    * platforms                                                    *
    ****************************************************************
    * PROBLEM DESCRIPTION:                                         *
    * The Advanced Encryption Standard (AES) algorithm used by the *
    * MobileFirst SDK on Android and Cordova uses default ECB mode *
    * for encryption. This is being reported in vulnerability      *
    * scans as not being string enough.                            *
    ****************************************************************
    * RECOMMENDATION:                                              *
    * -                                                            *
    ****************************************************************
    

Problem conclusion

  • The problem has been fixed by using Advanced Encryption Standard
    (AES) with CBC mode which is considered as stronger for
    encryption.
    

Temporary fix

  • -
    

Comments

APAR Information

  • APAR number

    PH03280

  • Reported component name

    MOBILE1ST PF EN

  • Reported component ID

    5725I4300

  • Reported release

    800

  • Status

    CLOSED PER

  • PE

    NoPE

  • HIPER

    NoHIPER

  • Special Attention

    NoSpecatt / Xsystem

  • Submitted date

    2018-09-26

  • Closed date

    2018-11-27

  • Last modified date

    2018-11-27

  • APAR is sysrouted FROM one or more of the following:

  • APAR is sysrouted TO one or more of the following:

Fix information

  • Fixed component name

    MOBILE1ST PF EN

  • Fixed component ID

    5725I4300

Applicable component levels

[{"Business Unit":{"code":"BU048","label":"IBM Software"},"Product":{"code":"SSZH4A","label":"IBM Worklight"},"Component":"","ARM Category":[],"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"800","Edition":"","Line of Business":{"code":"LOB15","label":"Integration"}}]

Document Information

Modified date:
27 November 2018