MASTG-TEST-0212: Use of Hardcoded Cryptographic Keys in Code
Content in BETA
This content is in beta and still under active development, so it is subject to change any time (e.g. structure, IDs, content, URLs, etc.).
Overview¶
In this test case, we will look for the use of hardcoded keys in Android applications. To do this, we need to focus on the cryptographic implementations of hardcoded keys. The Java Cryptography Architecture (JCA) provides the SecretKeySpec
class, which allows you to create a SecretKey
from a byte array.
Steps¶
- Use either Static Analysis on Android with a tool such as semgrep or Method Tracing (dynamic analysis) with a tool like Frida for Android to identify all the instances of symmetric key encryption in code and look for uses of the hardcoded cryptographic keys.
Observation¶
The output should contain a list of locations where hardcoded keys are used.
Evaluation¶
The test case fails if you find any hardcoded keys that are used in security-sensitive contexts.
Demos¶
MASTG-DEMO-0017: Use of Hardcoded AES Key in SecretKeySpec with semgrep