Skip to content

MASTG-TEST-0212: Use of Hardcoded Cryptographic Keys in Code

Content in BETA

This content is in beta and still under active development, so it is subject to change any time (e.g. structure, IDs, content, URLs, etc.).

Send Feedback

Overview

In this test case, we will look for the use of hardcoded keys in Android applications. To do this, we need to focus on the cryptographic implementations of hardcoded keys. The Java Cryptography Architecture (JCA) provides the SecretKeySpec class, which allows you to create a SecretKey from a byte array.

Steps

  1. Use either Static Analysis on Android with a tool such as semgrep or Method Tracing (dynamic analysis) with a tool like Frida for Android to identify all the instances of symmetric key encryption in code and look for uses of the hardcoded cryptographic keys.

Observation

The output should contain a list of locations where hardcoded keys are used.

Evaluation

The test case fails if you find any hardcoded keys that are used in security-sensitive contexts.

Demos

MASTG-DEMO-0017: Use of Hardcoded AES Key in SecretKeySpec with semgrep