Skip to content

MASTG-TEST-0212: Use of Hardcoded Cryptographic Keys in Code

Overview

In this test case, we will look for the use of hardcoded keys in Android applications. To do this, we need to focus on the cryptographic implementations of hardcoded keys. The Java Cryptography Architecture (JCA) provides the SecretKeySpec class, which allows you to create a SecretKey from a byte array.

Steps

  1. Use Reverse Engineering Android Apps to reverse engineer the app.
  2. Use Static Analysis on Android to look for the relevant APIs.

Observation

The output should contain a list of locations where hardcoded keys are used.

Evaluation

The test case fails if you find any hardcoded keys that are used in security-sensitive contexts.

Demos

MASTG-DEMO-0017: Use of Hardcoded AES Key in SecretKeySpec with semgrep