Skip to content

MASTG-TEST-0232: Broken Symmetric Encryption Modes

Overview

To test for the use of broken encryption modes in Android apps, we should focus on methods in cryptographic frameworks and libraries used to configure and apply encryption modes.

In Android development, the Cipher class from the Java Cryptography Architecture (JCA) is the primary API for specifying the encryption mode for cryptographic operations. Cipher.getInstance defines the transformation string, which includes the encryption algorithm, mode of operation, and padding scheme. The general format is "Algorithm/Mode/Padding". For example:

Cipher.getInstance("AES/ECB/PKCS5Padding")

In this test, we're going to focus on symmetric encryption modes such as ECB (Electronic Codebook).

ECB (defined in NIST SP 800-38A) is generally discouraged see NIST announcement in 2023 due to its inherent security weaknesses. While not explicitly prohibited, its use is limited and advised against in most scenarios. ECB is a block cipher mode that operates deterministically, dividing plaintext into blocks and encrypting them separately, which reveals patterns in the ciphertext. This makes it vulnerable to attacks like known-plaintext attacks and chosen-plaintext attacks.

For example, the following transformations are all considered vulnerable:

  • "AES" (uses AES/ECB mode by default)
  • "AES/ECB/NoPadding"
  • "AES/ECB/PKCS5Padding"
  • "AES/ECB/ISO10126Padding"

You can learn more about ECB and other modes in NIST SP 800-38A - Recommendation for Block Cipher Modes of Operation: Methods and Techniques. Also check the Decision to Revise NIST SP 800-38A, Recommendation for Block Cipher Modes of Operation: Methods and Techniques and NIST IR 8459 Report on the Block Cipher Modes of Operation in the NIST SP 800-38 Series for the latest information.

Out of Scope: Asymmetric encryption modes, such as RSA, are out of scope for this test because they don't use block modes like ECB.

In the transformation strings like "RSA/ECB/OAEPPadding" or "RSA/ECB/PKCS1Padding", the inclusion of ECB in this context is misleading. Unlike symmetric ciphers, RSA doesn't operate in block modes like ECB. The ECB designation is a placeholder in some cryptographic APIs and doesn't imply that RSA uses ECB mode. Understanding these nuances helps prevent false positives.

Steps

  1. Use Reverse Engineering Android Apps to reverse engineer the app.
  2. Use Static Analysis on Android to look for the relevant APIs.

Observation

The output should contain a list of locations where broken encryption modes are used in cryptographic operations.

Evaluation

The test case fails if any broken modes are identified in the app.

Further Validation Required:

Inspect each reported code location using Reviewing Decompiled Java Code to determine whether this is being used to perform encryption or decryption operations on sensitive data.

Best Practices

MASTG-BEST-0005: Use Secure Encryption Modes

Demos

MASTG-DEMO-0023: Uses of Broken Encryption Modes in Cipher with semgrep