Skip to content

MASTG-TEST-0221: Weak Encryption Algorithms

Content in BETA

This content is in beta and still under active development, so it is subject to change any time (e.g. structure, IDs, content, URLs, etc.).

Send Feedback

Overview

To test for the use of weak encryption algorithms in Android apps, we need to focus on methods from cryptographic frameworks and libraries that are used to perform encryption and decryption operations.

Steps

  1. Run Static Analysis on Android with a tool such as semgrep on the app binary, or use Method Tracing (dynamic analysis) with a tool like Frida for Android, and look for uses of the cryptographic functions that perform encryption and decryption operations.

Observation

The output should contain a list of locations where insecure symmetric encryption algorithms are used.

Evaluation

The test case fails if you can find insecure or deprecated encryption algorithms being used.

For example, DES (Data Encryption Standard) and 3DES (Triple DES), are deprecated by NIST SP 800-131A Rev. 2 due to vulnerabilities such as brute-force attacks and meet-in-the-middle attacks. Replace them with stronger alternatives, such as AES-256, which is widely recognized as secure for modern apps.