packageorg.owasp.mastestappimportandroid.util.Logimportandroid.content.Contextimportandroid.security.keystore.KeyPropertiesimportandroid.util.Base64importjava.security.KeyPairGeneratorimportjava.security.SecureRandomimportjavax.crypto.KeyGeneratorimportjavax.crypto.SecretKeyclassMastgTest(privatevalcontext:Context){funmastgTest():String{valgenerator=KeyPairGenerator.getInstance(KeyProperties.KEY_ALGORITHM_RSA)generator.initialize(1024,SecureRandom())// for 1025 bit RSA Keyvalkeypair=generator.genKeyPair()Log.d("Keypair generated RSA",Base64.encodeToString(keypair.public.encoded,Base64.DEFAULT))valkeyGen1=KeyGenerator.getInstance("AES")keyGen1.init(128)// for 128 bit AES keyvalsecretKey1:SecretKey=keyGen1.generateKey()valkeyGen2=KeyGenerator.getInstance("AES")keyGen2.init(256)// for 256 bit AES keyvalsecretKey2:SecretKey=keyGen2.generateKey()return"Generated RSA Key:\n "+Base64.encodeToString(keypair.public.encoded,Base64.DEFAULT)+"Generated AES Key1\n "+Base64.encodeToString(secretKey1.encoded,Base64.DEFAULT)+"Generated AES Key2\n "+Base64.encodeToString(secretKey2.encoded,Base64.DEFAULT);}}
rules:-id:weak_key_sizeseverity:WARNINGlanguages:-javametadata:summary:Thisrulelooksformethodsthatcreateaweakkeysizeinencryptionalgorithms.message:"[MASVS-CRYPTO] Make sure that the key size is according to security best practices"pattern-either:-pattern:|$K=$G.getInstance("RSA");...$K.initialize(1024,newSecureRandom());-pattern:|$K=$G.getInstance("RSA");...$K.initialize(512,newSecureRandom());-pattern:|$K=$G.getInstance("AES");...$K.init(128);
The rule has identified some instances in the code file where cryptographic keys are being generated. The specified line numbers can be located in the reverse-engineered code for further investigation and remediation.
The test fails because the key size of the RSA key is set to 1024 bits, and the size of the AES key is set to 128, which is considered weak in both cases.