MASTG-TEST-0212: Use of Hardcoded Cryptographic Keys in Code
Content in BETA
This content is in beta and still under active development, so it is subject to change any time (e.g. structure, IDs, content, URLs, etc.).
Overview¶
In this test case, we will look for the use of hardcoded keys in Android applications. To do this, we need to focus on the cryptographic implementations of hardcoded keys. The Java Cryptography Architecture (JCA) provides the SecretKeySpec
class, which allows you to create a SecretKey
from a byte array.
Steps¶
- Run a static analysis tool such as semgrep on the code and look for uses of the hardcoded cryptographic keys.
Observation¶
The output should contain a list of locations where hardcoded keys are used.
Evaluation¶
The test case fails if you find any hardcoded keys.
Demos¶
MASTG-DEMO-0017: Use of Hardcoded AES Key in SecretKeySpec with semgrep