Oracle Padding Attack

Penetration team raised below concern:

the adversary was able to find that the application uses Cipher Block Chaining (CBC) as its encryption mode, along with Public Key Cryptography Standards (PKCS5/PKCS7) padding. This configuration is known to be vulnerable to Padding Oracle attacks.

It is recommended to use GCM (Galois Counter Mode)

Need help in removing the AES/CBC references

Hi @imiksa

It’s hard to say without more information.

Does your app do any encryption? Any idea what part of the code this feedback might be referring to? Is this for both Android and iOS versions of the app or just one of them?