MASTG-TEST-0209: Insufficient Key Sizes

Overview

In this test case, we will look for the use insufficient key sizes in iOS apps. To do this, we need to focus on the cryptographic frameworks and libraries that are available in iOS and the methods that are used to generate cryptographic keys.

• CommonCrypto: The CCCrypt function is used for symmetric encryption and decryption and specifies the key size or key length in its fifth parameter keyLength.
• Security: The SecKeyCreateRandomKey function is used to generate a random key using certain attributes including kSecAttrKeyType and kSecAttrKeySizeInBits. The SecKeyGeneratePair function is deprecated in iOS 16.
• CryptoKit: The AES.GCM and ChaChaPoly classes are used for symmetric encryption and decryption.

Since you don't usually generate keys directly in CryptoKit (the library does that for you automatically), we'll focus on the CommonCrypto and Security libraries in this test.

Steps

1. Run a static analysis tool such as radare2 for iOS on the app binary, or use a dynamic analysis tool like Frida for iOS, and look for uses of the cryptographic functions that generate keys.

Observation

The output should contain the disassembled code of the functions using CCCrypt or other cryptographic functions.

Evaluation

The test case fails if you can find the use of insufficient key sizes within the source code. For example, a 1024-bit key size is considered insufficient for RSA encryption and a 128-bit key size is considered insufficient for AES encryption considering quantum computing attacks.

Demos

MASTG-DEMO-0011: Uses of Insufficient Key Size in SecKeyCreateRandomKey with r2