Insufficient cryptography in mobile applications can be exploited by attackers to compromise the confidentiality, integrity, and authenticity of sensitive information. Attackers targeting cryptographic algorithms or implementations to decrypt or tamper with sensitive data.

Remediation

• Use well-established and secure cryptographic algorithms, such as AES-256 for encryption and SHA-256 for hashing.
• Avoid custom cryptographic implementations and rely on trusted libraries, such as OpenSSL, Bouncy Castle, or platform-specific APIs.
• Implement secure key management practices, including storing keys in secure hardware (e.g., Android Keystore or iOS Secure Enclave).
• Avoid deprecated algorithms (e.g., MD5, SHA-1, or DES) and insecure modes of operation (e.g., ECB for block ciphers).
• Perform encryption and decryption operations within secure environments to prevent exposure of keys or plaintext.
• Implement key rotation policies to periodically replace encryption keys and reduce the impact of key compromise.
• Use cryptographic padding and initialisation vectors (IVs) securely to prevent padding oracle or other side-channel attacks.