Testing the Configuration of Cryptographic Standard Algorithms
Identify all the instances of the cryptographic primitives in code. Identify all custom cryptography implementations. You can look for:
- classes which uses
Identify that all calls to getInstance use default
provider of security services by not specifying it (it means AndroidOpenSSL aka Conscrypt).
Provider can only be specified in
KeyStore related code (in that situation
KeyStore should be provided as
provider). If other
provider is specified it should be verified according to situation and business case (i.e. Android API version), and
provider should be examined against potential vulnerabilities.
You can use method tracing on cryptographic methods to determine input / output values such as the keys that are being used. Monitor file system access while cryptographic operations are being performed to assess where key material is written to or read from. For example, monitor the file system by using the API monitor of RMS - Runtime Mobile Security.