fix: Fixes the IV overwrite when trying to encrypt multiple credentials by pmathew92 · Pull Request #882 · auth0/Auth0.Android

pmathew92 · 2025-11-22T13:02:13Z

Changes

This PR fixes the issue caused when the Initialisation Vector (IV) used to encrypt the Credentials in the SecureCredentialsManager gets overwritten with another IV when used along the multiple resource refresh token flow.

Cause

The IV generated while encrypting one set of credentials are stored in the shared preference using a key. When used along with the mrrt flow, the same shared preference key is used to store the new IV which replaces the existing one used to encrypt the first set of credentials. This results in a CryptoException when the new IV is used to decrypt the original set of credentials.

Fix

Instead of storing the IV in the shared preference , The IV is encrypted alongside the Credentials and stored. This ensures all set of different credentials would have their own IV which can later be extracted to decrypt them hence avoiding any exception. The Fix also ensures seamless migration for existing set of stored Credentials using the old manner.

Testing

Manual tests has been conducted for migration scenario and along with multiple set of credentials

This change adds unit test coverage
This change adds integration test coverage
This change has been tested on the latest version of the platform/language or why not

Checklist

I have read the Auth0 general contribution guidelines
I have read the Auth0 Code of Conduct
All existing and new tests complete without errors

…d credentials

pmathew92 · 2025-11-22T18:14:03Z

@claude

pmathew92 · 2025-11-23T12:22:05Z

@claude

github-actions · 2025-11-23T12:22:37Z

Claude finished @pmathew92's task —— View job

Code Review Complete

Overall Assessment

❌ This PR addresses a critical IV collision bug in the credential encryption system, but has several security and code quality issues that should be addressed before merging.

Strengths

Correctly identifies and fixes the root cause of IV collision in MRRT flow
Implements backward compatibility for legacy format credentials
Comprehensive test coverage including migration scenarios
Well-documented format specification in comments

Critical Issues Requiring Attention

Security Concerns:

Potential integer overflow when casting IV length to byte (line 588)
Insufficient validation of IV length from untrusted input could allow values up to 255
Missing bounds validation in array copy operations could cause crashes with malformed data
Aggressive credential clearing on CryptoException may hide transient errors

Code Quality:

Magic number "2" in length calculations reduces readability
Variable naming inconsistency ("decoded" contains encrypted data)
Test coverage gaps for IV length edge cases (0, 255, 13-15)

Performance:
No significant performance concerns identified. The new format adds minimal overhead (2 bytes per encryption).

Recommendations

The cryptographic approach is sound, but the implementation needs hardening against edge cases and malformed input. Please review the inline comments for specific suggestions to improve input validation, error handling, and code clarity.

auth0/src/main/java/com/auth0/android/authentication/storage/CryptoUtil.java

auth0/src/main/java/com/auth0/android/authentication/storage/SecureCredentialsManager.kt

auth0/src/test/java/com/auth0/android/authentication/storage/CryptoUtilTest.java

auth0/src/main/java/com/auth0/android/authentication/storage/SecureCredentialsManager.kt

auth0/src/main/java/com/auth0/android/authentication/storage/CryptoUtil.java

pmathew92 added 2 commits November 21, 2025 17:29

fix: Fixing the IV overwrite conflict while storing multiple encrypte…

d16166c

…d credentials

Added UTs for the new changes

20810d9

This comment has been minimized.

Sign in to view

This comment was marked as outdated.

Sign in to view

addressed feedbacks from claude code PR review

4769c62