From 4a684182ca6d43a44245372d137c9bd7f55e48b6 Mon Sep 17 00:00:00 2001
From: Hans-Christoph Steiner <hans@eds.org>
Date: Fri, 10 Aug 2018 10:56:13 +0200
Subject: [PATCH] enable lint "GetInstance" security check as error

---
 app/lint.xml                                       |  1 +
 .../zipsigner/optional/PasswordObfuscator.java     | 14 ++++++++++++++
 2 files changed, 15 insertions(+)

diff --git a/app/lint.xml b/app/lint.xml
index e93e67d8e..382ff38f8 100644
--- a/app/lint.xml
+++ b/app/lint.xml
@@ -23,6 +23,7 @@
     <issue id="NestedScrolling" severity="error"/>
     <issue id="StringFormatCount" severity="error"/>
     <issue id="UnsafeProtectedBroadcastReceiver" severity="error"/>
+    <issue id="GetInstance" severity="error"/>
 
     <issue id="PluralsCandidate" severity="error"/>
     <issue id="HardcodedText" severity="error"/>
diff --git a/app/src/full/java/kellinwood/security/zipsigner/optional/PasswordObfuscator.java b/app/src/full/java/kellinwood/security/zipsigner/optional/PasswordObfuscator.java
index 352c0b30d..34c0b2f5b 100644
--- a/app/src/full/java/kellinwood/security/zipsigner/optional/PasswordObfuscator.java
+++ b/app/src/full/java/kellinwood/security/zipsigner/optional/PasswordObfuscator.java
@@ -65,6 +65,13 @@ public class PasswordObfuscator {
         return result;
     }
 
+    /**
+     * <b>This uses the AES-ECB cipher which is known to be insecure</b>
+     *
+     * @see <a href="https://blog.filippo.io/the-ecb-penguin/">The ECB Penguin</a>
+     */
+    @Deprecated
+    @SuppressWarnings("GetInstance")
     public String encode(String junk, char[] password) {
         if (password == null) return null;
         try {
@@ -84,6 +91,13 @@ public class PasswordObfuscator {
         return null;
     }
 
+    /**
+     * <b>This uses the AES-ECB cipher which is known to be insecure</b>
+     *
+     * @see <a href="https://blog.filippo.io/the-ecb-penguin/">The ECB Penguin</a>
+     */
+    @Deprecated
+    @SuppressWarnings("GetInstance")
     public char[] decode(String junk, String password) {
         if (password == null) return null;
         try {