MASTG-TEST-0221: Broken Symmetric Encryption Algorithms

Overview

To test for the use of broken encryption algorithms in Android apps, we need to focus on methods from cryptographic frameworks and libraries that are used to perform encryption and decryption operations.

• Cipher.getInstance: Initializes a Cipher object for encryption or decryption. The algorithm parameter can be one of the supported algorithms.
• SecretKeyFactory.getInstance: Returns a SecretKeyFactory object that converts keys into key specifications and vice versa. The algorithm parameter can be one of the supported algorithms.
• KeyGenerator.getInstance: Returns a KeyGenerator object that generates secret keys for symmetric algorithms. The algorithm parameter can be one of the supported algorithms.

Some broken symmetric encryption algorithms include:

• DES (Data Encryption Standard): 56-bit key, breakable, withdrawn by NIST in 2005.
• 3DES (Triple DES, officially the Triple Data Encryption Algorithm (TDEA or Triple DEA)): 64-bit block size, vulnerable to Sweet32 birthday attacks, withdrawn by NIST on January 1, 2024.
• RC4: Predictable key stream, allows plaintext recovery RC4 Weakness, disapproved by NIST in 2014 and prohibited by IETF in 2015.
• Blowfish: 64-bit block size, vulnerable to Sweet32 attacks, never FIPS-approved, and listed under "Non-Approved algorithms" in FIPS.

Android also provides additional guidance on broken cryptographic algorithms.

Steps

1. Use Reverse Engineering Android Apps to reverse engineer the app.
2. Use Static Analysis on Android to look for the relevant APIs.

Observation

The output should contain a list of locations where insecure symmetric encryption algorithms are used.

Evaluation

The test case fails if you can find insecure or deprecated encryption algorithms being used.

Further Validation Required:

Inspect each reported code location using Reviewing Decompiled Java Code to determine whether the algorithm is used in a security-relevant context to protect sensitive data.

Best Practices

MASTG-BEST-0009: Use Secure Encryption Algorithms

Demos

MASTG-DEMO-0022: Uses of Broken Symmetric Encryption Algorithms in Cipher with semgrep