Fluid Attacks Database

Description

Detects usage of insecure DES (Data Encryption Standard) encryption through Swift's Cryptor API. DES is a deprecated encryption algorithm that can be broken through brute force attacks, making it unsuitable for protecting sensitive data.

Weakness:

052 - Insecure encryption algorithm

Category: Information Collection

Detection Strategy

• Look for code using the Swift Cryptor API

• Check if the Cryptor instance is configured to use DES encryption algorithm

• Report a vulnerability when DES encryption is used since it provides insufficient security

Vulnerable code example

// Encryption setup using insecure algorithms
let cryptor = try Cryptor(operation: .encrypt, algorithm: .des, options: .none, key: key, iv: [])  // Vulnerable: Uses DES which is cryptographically broken

let crypt = CkoCrypt2()
crypt.CryptAlgorithm = "3des"  // Vulnerable: 3DES is deprecated and vulnerable to meet-in-the-middle attacks

✅ Secure code example

// Encryption setup using secure algorithm
let cryptor = try Cryptor(operation: .encrypt, algorithm: .aes256, options: .none, key: key, iv: iv)  // Secure: Uses AES-256 with proper IV

let crypt = CkoCrypt2()
crypt.CryptAlgorithm = "aes256"  // Secure: Uses AES-256 which is currently considered cryptographically secure

Free trial

Search for vulnerabilities in your apps for free with Fluid Attacks' automated security testing! Start your 21-day free trial and discover the benefits of the Continuous Hacking Essential plan. If you prefer the Advanced plan, which includes the expertise of Fluid Attacks' hacking team, fill out this contact form.