The analyzer has detected that a custom cryptographic algorithm is being created in the application. Creation or custom implementation of cryptographic algorithms is not recommended.
Vulnerabilities related to the use of custom cryptographic algorithms can be categorized under the OWASP Top 10 2021 as follows:
Thus, creating the MessageDigest subclass is an error:
public class CustomDigest extends MessageDigest {
public CustomDigest(String algorithm) {
super(algorithm);
// ....
}
// ....
}Using modern and reliable standard algorithms is one of OWASP's recommendations. MITRE also advises against developing custom cryptographic algorithms:
Do not develop custom or private cryptographic algorithms. They will likely be exposed to attacks that are well-understood by cryptographers. Reverse engineering techniques are mature. If the algorithm can be compromised if attackers find out how it works, then it is especially weak.
Instead of developing a custom algorithm, it is better to just use something like SHA-256:
var digest = MessageDigest.getInstance("SHA-256");