This checker looks for usages of standard cryptographic algorithms in configurations that are prone to vulnerabilities. There are currently three classes of problems that are covered by this checker:
Creating an instance of javax.crypto.Cipher using either the default settings or the notoriously insecure ECB mode. In particular, Java's default Cipher.getInstance(AES) returns a cipher object that operates in ECB mode. Dynamically constructed transformation strings are also flagged, as they may conceal an instance of ECB mode. The problem with ECB mode is that encrypting the same block of plaintext always yields the same block of ciphertext. Hence, repetitions in the plaintext translate into repetitions in the ciphertext, which can be readily used to conduct cryptanalysis. The use of IES-based cipher algorithms also raises an error, as all currently available implementations use ECB mode under the hood.
Using the Diffie-Hellmann protocol on prime fields. Most library implementations of Diffie-Hellman on prime fields have serious issues that can be exploited by an attacker. Any operation that may involve this protocol will be flagged by the checker. Implementations of the protocol based on elliptic curves (ECDH) are secure and should be used instead.
Using DSA for digital signatures. Some widely used crypto libraries accept invalid DSA signatures in specific configurations. The checker will flag all cryptographic operations that may involve DSA.