MASTG-TEST-0209: Inappropriate Key Sizes

Content in BETA

This content is in beta and still under active development, so it is subject to change any time (e.g. structure, IDs, content, URLs, etc.).

Send Feedback

Overview

In this test case, we will look for the use inappropriate key sizes in iOS apps. To do this, we need to focus on the cryptographic frameworks and libraries that are available in iOS and the methods that are used to generate cryptographic keys.

• CommonCrypto: The CCCrypt function is used for symmetric encryption and decryption and specifies the key size or key length in its fifth parameter keyLength.
• Security: The SecKeyCreateRandomKey function is used to generate a random key using certain attributes including kSecAttrKeyType and kSecAttrKeySizeInBits. The SecKeyGeneratePair function is deprecated in iOS 16.
• CryptoKit: The AES.GCM and ChaChaPoly classes are used for symmetric encryption and decryption.

Since you don't usually generate keys directly in CryptoKit (the library does that for you automatically), we'll focus on the CommonCrypto and Security libraries in this test.

Steps

1. Run a static analysis tool such as radare2 for iOS on the app binary, or use a dynamic analysis tool like Frida for iOS, and look for uses of the cryptographic functions that generate keys.

Observation

The output should contain the disassembled code of the functions using CCCrypt or other cryptographic functions.

Evaluation

The test case fails if you can find the use of inappropriate key sizes within the source code. For example, a 1024-bit key size is considered weak for RSA encryption and a 128-bit key size is considered weak for AES encryption considering quantum computing attacks.

Demos

MASTG-DEMO-0011: Uses of Weak Key Size in SecKeyCreateRandomKey with r2