Skip to content

MASTG-TEST-0212: Use of Hardcoded Cryptographic Keys in Code

Content in BETA

This content is in beta and still under active development, so it is subject to change any time (e.g. structure, IDs, content, URLs, etc.).

Send Feedback

Overview

In this test case, we will look for the use of hardcoded keys in Android applications. To do this, we need to focus on the cryptographic implementations of hardcoded keys. The Java Cryptography Architecture (JCA) provides the SecretKeySpec class, which allows you to create a SecretKey from a byte array.

Steps

  1. Run a static analysis tool such as semgrep on the code and look for uses of the hardcoded cryptographic keys.

Observation

The output should contain a list of locations where hardcoded keys are used.

Evaluation

The test case fails if you find any hardcoded keys.

Demos

MASTG-DEMO-0017: Use of Hardcoded AES Key in SecretKeySpec with semgrep