packageorg.owasp.mastestappimportandroid.content.Contextimportjavax.crypto.Cipherimportjavax.crypto.SecretKeyimportjavax.crypto.spec.SecretKeySpecimportandroid.util.Base64classMastgTest(privatevalcontext:Context){funmastgTest():String{//Bad:Useofahardcodedkey(frombytes)forencryptionvalkeyBytes=byteArrayOf(0x6C,0x61,0x6B,0x64,0x73,0x6C,0x6A,0x6B,0x61,0x6C,0x6B,0x6A,0x6C,0x6B,0x6C,0x73)//Examplekeybytesvalcipher=Cipher.getInstance("AES/GCM/NoPadding")valsecretKey=SecretKeySpec(keyBytes,"AES")cipher.init(Cipher.ENCRYPT_MODE,secretKey)//Bad:Hardcodedkeydirectlyincode(securityrisk)valbadSecretKeySpec=SecretKeySpec("my secret here".toByteArray(),"AES")//Returningresultsreturn"SUCCESS!!\n\nThe keys were generated and used successfully with the following details:\n\n"+"Hardcoded AES Encryption Key: ${Base64.encodeToString(keyBytes, Base64.DEFAULT)}\n"+"Hardcoded Key from string: ${Base64.encodeToString(badSecretKeySpec.encoded, Base64.DEFAULT)}\n"}}
rules:-id:mastg-android-hardcoded-crypto-keys-usageseverity:WARNINGlanguages:-javametadata:summary:Thisrulelooksforhardcodedkeysinuse.message:"[MASVS-CRYPTO-1] Hardcoded cryptographic keys found in use."pattern-either:-pattern:SecretKeySpec$_=newSecretKeySpec($KEY,$ALGO);-pattern:|-byte[]$KEY={...};...newSecretKeySpec($KEY,$ALGO);
The rule has identified one instance in the code file where hardcoded keys is used. The specified line numbers can be located in the reverse-engineered code for further investigation and remediation.