MASTG-TEST-0221: Weak Encryption Algorithms
Content in BETA
This content is in beta and still under active development, so it is subject to change any time (e.g. structure, IDs, content, URLs, etc.).
Overview¶
To test for the use of weak encryption algorithms in Android apps, we need to focus on methods from cryptographic frameworks and libraries that are used to perform encryption and decryption operations.
Cipher.getInstance
: Initializes a Cipher object for encryption or decryption. Thealgorithm
parameter can be one of the supported algorithms.SecretKeyFactory.getInstance
: Returns a SecretKeyFactory object that converts keys into key specifications and vice versa. Thealgorithm
parameter can be one of the supported algorithms.KeyGenerator.getInstance
: Returns aKeyGenerator
object that generates secret keys for symmetric algorithms. Thealgorithm
parameter can be one of the supported algorithms.
Steps¶
- Run Static Analysis on Android with a tool such as semgrep on the app binary, or use Method Tracing (dynamic analysis) with a tool like Frida for Android, and look for uses of the cryptographic functions that perform encryption and decryption operations.
Observation¶
The output should contain a list of locations where insecure symmetric encryption algorithms are used.
Evaluation¶
The test case fails if you can find insecure or deprecated encryption algorithms being used.