PKCS5 and PKCS7 are known to be vulnerable to oracle padding attacks

[eikebartels]

This package seems to use AES-CBC-PKCS7 encryption for secure storage.

PKCS5 and PKCS7 are known to be vulnerable to oracle padding attacks in combination with CBC mode of operation. The issue occurs if an app reports failed encryption. By that, the plaintext can be restored piece by piece, as only byte-sized blocks are brute-forced.

Flutter seems to expose the EncrypredSharedPreferences of Android. They are the go-to solution. See https://pub.dev/packages/flutter_secure_storage and https://developer.android.com/reference/androidx/security/crypto/EncryptedSharedPreferences

[mkhtradm01]

This package seems to use AES-CBC-PKCS7 encryption for secure storage.

PKCS5 and PKCS7 are known to be vulnerable to oracle padding attacks in combination with CBC mode of operation. The issue occurs if an app reports failed encryption. By that, the plaintext can be restored piece by piece, as only byte-sized blocks are brute-forced.

Flutter seems to expose the EncrypredSharedPreferences of Android. They are the go-to solution. See https://pub.dev/packages/flutter_secure_storage and https://developer.android.com/reference/androidx/security/crypto/EncryptedSharedPreferences

So this happens on Android as android is using EncrypredSharedPreferences

[ernestomar]

Possible duplicate of #526?

[juliansteenbakker]

Please read #769 for an upcoming fix for this issue.