MASTG-TEST-0312: References to Explicit Security Provider in Cryptographic APIs

Overview

Android cryptography APIs based on the Java Cryptography Architecture (JCA) allow developers to specify a security provider when calling getInstance methods. However, explicitly specifying a provider can cause security issues and break compatibility because several providers have been deprecated or removed in recent versions. For example:

• Apps targeting Android 9 (API level 28) or above fail when a provider is specified.
• The Crypto provider was deprecated in Android 7.0 (API level 24) and removed in Android 9 (API level 28).
• The BouncyCastle provider was deprecated in Android 9 (API level 28) and removed in Android 12 (API level 31).

This test identifies cases where an app explicitly specifies a security provider when using JCA APIs that is not the default provider, AndroidOpenSSL (Conscrypt), which is actively maintained and should generally be used. It examines getInstance calls and flags any use of a named provider other than legitimate exceptions such as KeyStore.getInstance("AndroidKeyStore").

Steps

1. Use Reverse Engineering Android Apps to reverse engineer the app.
2. Use Static Analysis on Android to look for the relevant APIs.

Observation

The output should contain a list of locations where a security provider is explicitly specified in getInstance calls.

Evaluation

The test case fails if any getInstance call explicitly specifies a security provider other than AndroidKeyStore for KeyStore operations.

Best Practices

MASTG-BEST-0020: Update the GMS Security Provider

Demos

MASTG-DEMO-0075: Uses of Explicit Security Providers in Cryptographic APIs with semgrep