flutter_secure_storage: Unhandled Exception: PlatformException(Exception encountered, read, javax.crypto.BadPaddingException: error:1e000065:Cipher functions:OPENSSL_internal:BAD_DECRYPT

How to fix this problem?

E/flutter (29195): [ERROR:flutter/lib/ui/ui_dart_state.cc(177)] Unhandled Exception: PlatformException(Exception encountered, read, javax.crypto.BadPaddingException: error:1e000065:Cipher functions:OPENSSL_internal:BAD_DECRYPT
E/flutter (29195): 	at com.android.org.conscrypt.NativeCrypto.EVP_CipherFinal_ex(Native Method)
E/flutter (29195): 	at com.android.org.conscrypt.OpenSSLCipher$EVP_CIPHER.doFinalInternal(OpenSSLCipher.java:570)
E/flutter (29195): 	at com.android.org.conscrypt.OpenSSLCipher.engineDoFinal(OpenSSLCipher.java:351)
E/flutter (29195): 	at javax.crypto.Cipher.doFinal(Cipher.java:1741)
E/flutter (29195): 	at com.it_nomads.fluttersecurestorage.ciphers.StorageCipher18Implementation.decrypt(StorageCipher18Implementation.java:91)
E/flutter (29195): 	at com.it_nomads.fluttersecurestorage.FlutterSecureStoragePlugin.decodeRawValue(FlutterSecureStoragePlugin.java:163)
E/flutter (29195): 	at com.it_nomads.fluttersecurestorage.FlutterSecureStoragePlugin.read(FlutterSecureStoragePlugin.java:144)
E/flutter (29195): 	at com.it_nomads.fluttersecurestorage.FlutterSecureStoragePlugin.access$300(FlutterSecureStoragePlugin.java:29)
E/flutter (29195): 	at com.it_nomads.fluttersecurestorage.FlutterSecureStoragePlugin$MethodRunner.run(FlutterSecureStoragePlugin.java:197)
E/flutter (29195): 	at java.lang.Thread.run(Thread.java:764)
E/flutter (29195): , null)

About this issue

Original URL
State: closed
Created 4 years ago
Reactions: 51
Comments: 76 (16 by maintainers)

Commits related to this issue

Fixes thread safety issues in android code. closes #161 Before, every call from flutter was executed in a separate thread and only the ensureInitStorageCipher was synchronized. All other operations w... — committed to koskimas/flutter_secure_storage by koskimas 4 years ago
Fixes thread safety issues in android code. closes #161 (#165) Before, every call from flutter was executed in a separate thread and only the ensureInitStorageCipher was synchronized. All other ope... — committed to mogol/flutter_secure_storage by koskimas 4 years ago

Most upvoted comments

Hey guys, Please try 3.3.5, it has been published. Kudos to @koskimas

+20

mogol on Oct 8, 2020

Hi @mogol! With 3.3.5 got this error. I got this error only when deploying app to a phone from Google play. On simulator or uploading apk directly, this error doesn’t fire.

+18

vdmitrovskiy-lohika on Nov 4, 2020

I am still facing the same issue in release build, I am using flutter_secure_storage: ^4.2.0

+16

DineshKachhot on Aug 20, 2021

I’m having an issue with the newer version as well. We’re using 3.3.5 and it happens randomly.

+13

Kacppian on Nov 8, 2020

I’m still facing the issue in 4.2.1 and none of the above solutions work, its surprising, a package of 99% popularity is still having the issue reopened again and again 😦

appu-sm on Sep 7, 2021

I added <application ... android:allowBackup="false" android:fullBackupContent="false"> with 3.3.4 but the same error is still there. I had to change back to 3.3.2 and the problem solved.

iNima on Sep 29, 2020

This error happens only in production in the play store. Huawei android 10. Tried this:

If you need fullBackupContent="yes", you can disable backup of prefs used by the plugin.
<?xml version="1.0" encoding="utf-8"?>
<full-backup-content>
    <exclude domain="sharedpref" path="FlutterSecureStorage"/>
</full-backup-content>

But I still get the error. Using flutter_secure_storage: ^4.2.0

postpasspost on Jul 1, 2021

Here’s a fix https://github.com/mogol/flutter_secure_storage/pull/165

koskimas on Oct 8, 2020

If you use version 5.0.2 or newer, make sure you use this option when creating the instance:

FlutterSecureStorage(aOptions: AndroidOptions(
    encryptedSharedPreferences: true,
));

This causes the package to use Android’s built-in EncryptedSharedPreferences. The crash only seems to occur when not using this setting, because then the package uses a different way of encrypting and decrypting the prefs. You can see that by reading the source code here: https://github.com/mogol/flutter_secure_storage/blob/26efe91a75228ad8c8626d6eea18f7f3cb21bdd9/flutter_secure_storage/android/src/main/java/com/it_nomads/fluttersecurestorage/FlutterSecureStoragePlugin.java#L101

Also see https://github.com/mogol/flutter_secure_storage/pull/328#issuecomment-988577971

jfahrenkrug on Jun 29, 2022

Getting this error now on an app in production which makes the whole app freeze on launch for a portion of our users. Works on Pixel 1 (Android 10), Pixel 2 (Android 11), but fails on my Pixel 5(Android 11). This issue should probably be re-opened.

andreasmpet on Jan 27, 2021

Hey Sami, I was planning to check on the weekends. So if you can do it early 👍 it’s fine.

Sent from ProtonMail Mobile

On Thu, Oct 8, 2020 at 10:21, Sami Koskimäki notifications@github.com wrote:

@mogol I’d be happy to provide a PR for fixing the thread safety issues. Are you already working on the fix or should I start?

— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub, or unsubscribe.

mogol on Oct 8, 2020

Hey guys, the problem might be setting a key as empty String, at least for me that was it. I know the thread is closed, by anyways, it could help someone else.

dluanoliveira1 on Jul 22, 2021

I have created a new issue #210, since this problem still seems to be active.

RANSoftRA on Feb 25, 2021

@mogol No problem! Took me a good while too 😅

I think many of the other issues here in github are caused by the thread safety issues too. The cipher classes are not thread safe, but they are called from different threads for each flutter call. Every time two calls run in parallel, things can easily go wrong.

The correct solution, I think, would be to have only one worker thread in android native code, in which all operations are run. That way the code doesn’t lock the android main thread, and the code is thread safe. HandlerThread could be a good solution.

koskimas on Oct 7, 2020

I used this workaround by adding <application ... android:allowBackup="false" android:fullBackupContent="false">

to AndroidManifest.xml

bettdouglas on Sep 25, 2020

Same issue with flutter_secure_storage: 4.2.0

okan-oz on Feb 1, 2022

I am also facing this error.

kjawadDeveloper2 on Nov 12, 2021

This was solved with

android:allowBackup=“false” android:fullBackupContent=“false”

in AndroidManifest.xml

chitgoks on Jan 31, 2021

We fixed it by forking the project and removing the strongbox feature. So far we don’t see any problems anymore.

julianzur on Jan 29, 2021

Here’s a reproduction.

Create a new app using flutter create

Replace the content of main.dart with this:

import 'dart:math';

import 'package:flutter/material.dart';
import 'package:flutter_secure_storage/flutter_secure_storage.dart';

void main() {
  runApp(MyApp());
}

class MyApp extends StatelessWidget {
  @override
  Widget build(BuildContext context) {
    return MaterialApp(
      title: 'Secure storage bug',
      theme: ThemeData(
        primarySwatch: Colors.blue,
        visualDensity: VisualDensity.adaptivePlatformDensity,
      ),
      home: MyHomePage(title: 'Secure storage bug'),
    );
  }
}

class MyHomePage extends StatefulWidget {
  MyHomePage({Key key, this.title}) : super(key: key);
  final String title;

  @override
  _MyHomePageState createState() => _MyHomePageState();
}

class _MyHomePageState extends State<MyHomePage> {
  final secureStorage1 = FlutterSecureStorage();

  Future<void> write() async {
    for (int i = 0; i < 100; ++i) {
      secureStorage1.write(key: 'TEST1', value: 'a');
      secureStorage1.write(key: 'TEST2', value: 'a');
    }
  }

  Future<void> read() async {
    for (int i = 0; i < 100; ++i) {
      secureStorage1.read(key: 'TEST1');
      secureStorage1.read(key: 'TEST2');
    }
  }

  @override
  Widget build(BuildContext context) {
    return Scaffold(
      appBar: AppBar(
        title: Text(widget.title),
      ),
      body: Center(
        child: Column(
          mainAxisAlignment: MainAxisAlignment.center,
          children: <Widget>[
            RaisedButton(
              child: Text('write'),
              onPressed: write,
            ),
            RaisedButton(
              child: Text('read'),
              onPressed: read,
            ),
          ],
        ),
      ),
    );
  }
}

Click write and then read (may need to do that couple of times) and you’ll get the error.

So this seems to happen when I run multiple read/write operations in parallel.

koskimas on Oct 6, 2020

@sandeeppatel1986 Just for double-checking, go to your .pub_cache/hosted/pub.dartlang.org/ folder and check the version number of flutter_secure_storage. Make sure that the folder name is flutter_secure_storage-3.3.2

iNima on Sep 30, 2020

@sydneyagcaoili Double check if the version also changed in the pubspec.lock file

Andrew-Bekhiet on Sep 29, 2020

Having the same Problem with 5.0.2 and i am, too, trying to read a key that doesn’t exist yet. Is there a way to check first if the key exists or not? Tried it with try catch first, which worked, then tried by adding

android:allowBackup=“false” android:fullBackupContent=“false”

in AndroidManifest.xml, which fixed the issue, too.

AG-IT-Solutions on Mar 7, 2022

Still same issue with flutter_secure_storage: 5.0.2 (but happens only on some real devices, never on emulator )

Nazarii77 on Feb 22, 2022

Still same issue with flutter_secure_storage: 4.2.1

fakfa19 on Feb 14, 2022

Same error here

jesusmartinezd on Dec 28, 2021

Same issue with flutter_secure_storage: ^4.2.0

rsmaximiliano on Oct 24, 2021

I still have this problem too

gabdsg on Jan 29, 2021

@Rebloom: I just ran into the issue this weekend again with 3.3.5 on a Pixel 4a with latest security updates from Nov 2020. According to your sources, the TitanM problem “was fixed in the Android security update of December 2019 for the Pixel 3 and newer.”. Do you have any news if the problem could’ve re-appeared?

julianzur on Nov 23, 2020

Here’s a fix #165

Please merge this PR immediately

Philipus13 on Oct 8, 2020

@mogol I’d be happy to provide a PR for fixing the thread safety issues. Are you already working on the fix or should I start?

koskimas on Oct 8, 2020

Looking at the android code, it seems that it’s all completely thread-unsafe. this method is run in a separate thread for each call, and there’s no synchronization whatsoever for any method calls except for the ensureInitStorageCipher method.

Thread safety was destroyed in this commit

koskimas on Oct 6, 2020

A temporary workaround would be to serialize all calls to this library and to only use one FlutterSecureStorage instance per app. Something like this:

class AsyncMutex {
  Completer<void> _completer;

  Future<void> lock() async {
    while (_completer != null) {
      await _completer.future;
    }

    _completer = Completer<void>();
  }

  void unlock() {
    assert(_completer != null);
    final completer = _completer;
    _completer = null;
    completer.complete();
  }
}

class SecureStorage {
  static const _secureStorage = FlutterSecureStorage();
  static final _mutex = AsyncMutex();

  Future<String> read({String key}) async {
    try {
      await _mutex.lock();
      return await _secureStorage.read(key: key);
    } finally {
      _mutex.unlock();
    }
  }

  Future<void> write({String key, String value}) async {
    try {
      await _mutex.lock();
      await _secureStorage.write(key: key, value: value);
    } finally {
      _mutex.unlock();
    }
  }
}

koskimas on Oct 8, 2020

@Andrew-Bekhiet I have same issue also tried with deleting pubspec.lock file. Any further solution. Flutter 1.20.2 flutter_secure_storage: ^3.3.2

Device Samsung S10+(Android 10)

sandeeppatel1986 on Sep 30, 2020

I got the same problem with 3.3.3 and 3.3.4, but when downgraded to 3.3.2 it works fine for me

Andrew-Bekhiet on Sep 29, 2020