Summary
react-native-auth0@5.4.0 bundles com.auth0.android:auth0:3.12.0, which uses weak cryptographic algorithms in SecureCredentialsManager:
RSA/ECB/PKCS1Padding for RSA key wrappingAES/CBC/PKCS7Padding for credential encryption
These are flagged under OWASP M5 (Insufficient Cryptography) and are being caught by security scans (InfoSec / mobile app security assessments).
Fix already exists upstream
com.auth0.android:auth0:3.12.2 (released 2026-01-23, two days after react-native-auth0@5.4.0) fixed this in PR #834:
|
Before 3.12.2 |
3.12.2+ |
| RSA |
RSA/ECB/PKCS1Padding |
RSA/ECB/OAEPWithSHA-1AndMGF1Padding |
| AES |
AES/CBC/PKCS7Padding |
AES/GCM/NOPADDING |
The latest com.auth0.android:auth0 is 3.14.0.
Impact on consumers
React Native apps using SecureCredentialsManager (the default credential storage) are flagged by security scans. The only workaround currently available is to force the dependency version via Gradle resolutionStrategy, but this means running the native Android SDK against a version that react-native-auth0 was never tested with — introducing crash risk.
Request
Please bump the com.auth0.android:auth0 dependency in android/build.gradle to 3.12.2 or later (ideally 3.14.0) and cut a new release.
Happy to open a PR for the one-line change if that helps move it along.
Summary
react-native-auth0@5.4.0bundlescom.auth0.android:auth0:3.12.0, which uses weak cryptographic algorithms inSecureCredentialsManager:RSA/ECB/PKCS1Paddingfor RSA key wrappingAES/CBC/PKCS7Paddingfor credential encryptionThese are flagged under OWASP M5 (Insufficient Cryptography) and are being caught by security scans (InfoSec / mobile app security assessments).
Fix already exists upstream
com.auth0.android:auth0:3.12.2(released 2026-01-23, two days afterreact-native-auth0@5.4.0) fixed this in PR #834:RSA/ECB/PKCS1PaddingRSA/ECB/OAEPWithSHA-1AndMGF1PaddingAES/CBC/PKCS7PaddingAES/GCM/NOPADDINGThe latest
com.auth0.android:auth0is 3.14.0.Impact on consumers
React Native apps using
SecureCredentialsManager(the default credential storage) are flagged by security scans. The only workaround currently available is to force the dependency version via GradleresolutionStrategy, but this means running the native Android SDK against a version thatreact-native-auth0was never tested with — introducing crash risk.Request
Please bump the
com.auth0.android:auth0dependency inandroid/build.gradleto3.12.2or later (ideally3.14.0) and cut a new release.Happy to open a PR for the one-line change if that helps move it along.