Skip to content

MASTG-TEST-0213: Use of Hardcoded Cryptographic Keys in Code

Overview

In this test case, we will examine iOS applications for the presence of hardcoded cryptographic keys. Hardcoded keys can be typically found in calls to cryptographic functions or stored as constants or variables within the code. In iOS, cryptographic keys are often used in the following frameworks:

  • Security Framework: The SecKeyCreateWithData function allows developers to create a cryptographic key from raw data.
  • CommonCrypto: The CCCrypt can be initialized with raw key data in its key parameter.
  • CryptoKit: Although CryptoKit provides higher-level abstractions for cryptographic operations, developers might still hardcode cryptographic keys in different formats and feed it to methods like P256.Signing.PrivateKey.init(rawRepresentation:) or similar.

Steps

  1. Use Exploring the App Package to extract the relevant binaries from app package.
  2. Use Static Analysis on iOS to look for the relevant APIs in the app binaries.

Observation

The output should include any instances where the app uses cryptographic functions that accept raw key data. Whenever possible, the output should also try to point to the raw key data from the binary.

Evaluation

The test case fails if calls to cryptographic functions with hardcoded keys are found within binary.

You may find the keys being directly passed as arguments to cryptographic functions (byte arrays or string literals) or stored in variables or constants within the code. Typical representations of hardcoded keys include:

  • Raw Byte Arrays: Cryptographic keys may be directly embedded in the code as arrays of UInt8 or Data objects. For example, a 256-bit AES key might be represented as a [UInt8] array.
  • Base64-Encoded Strings: Developers might encode cryptographic keys as Base64 strings within the code, which can be easily decoded by attackers if discovered.
  • Hex-Encoded Strings: Keys are sometimes stored as hexadecimal strings, which are then converted to Data objects at runtime for cryptographic operations.

Further Validation Required:

Inspect each reported code location using Reviewing Disassembled Objective-C and Swift Code to determine whether the identified data is indeed a cryptographic key used for security-relevant purposes:

  • Determine whether the identified value is a cryptographic key (configuration settings or non-security-related constants might be misidentified as cryptographic keys).

Demos

MASTG-DEMO-0013: Use of Hardcoded RSA Private Key in SecKeyCreateWithData with r2 MASTG-DEMO-0014: Use of Hardcoded ECDSA Private Key in CryptoKit with r2