MASTG-TEST-0221: Weak Encryption Algorithms

Content in BETA

This content is in beta and still under active development, so it is subject to change any time (e.g. structure, IDs, content, URLs, etc.).

Send Feedback

Overview

To test for the use of weak encryption algorithms in Android apps, we need to focus on methods from cryptographic frameworks and libraries that are used to perform encryption and decryption operations.

• Cipher.getInstance: Initializes a Cipher object for encryption or decryption. The algorithm parameter can be one of the supported algorithms.
• SecretKeyFactory.getInstance: Returns a SecretKeyFactory object that converts keys into key specifications and vice versa. The algorithm parameter can be one of the supported algorithms.
• KeyGenerator.getInstance: Returns a KeyGenerator object that generates secret keys for symmetric algorithms. The algorithm parameter can be one of the supported algorithms.

Steps

1. Run Static Analysis on Android with a tool such as semgrep on the app binary, or use Method Tracing (dynamic analysis) with a tool like Frida for Android, and look for uses of the cryptographic functions that perform encryption and decryption operations.

Observation

The output should contain a list of locations where insecure symmetric encryption algorithms are used.

Evaluation

The test case fails if you can find insecure or deprecated encryption algorithms being used.