New Risk - Hardcoded Cryptographic Keys in Use [hardcoded-crypto-keys-usage]

[cpholguera]

Description

Create a new risk for "Hardcoded Cryptographic Keys in Use (MASVS-CRYPTO-2)" using the following information:

One thing is to include hardcoded keys in the code, another is to use them.

Create "risks/MASVS-CRYPTO/2-***-****/hardcoded-crypto-keys-usage/risk.md" including the following content:

---
title: Hardcoded Cryptographic Keys in Use
alias: hardcoded-crypto-keys-usage
platform: [android, ios]
profiles: [L1, L2]
mappings:
  masvs-v1: [MSTG-CRYPTO-1]
  masvs-v2: [MASVS-CRYPTO-2]
  mastg-v1: [MASTG-TEST-0062, MASTG-TEST-0013]

---

## Overview

## Impact

## Modes of Introduction

## Mitigations

To complete the sections follow the guidelines from Writing MASTG Risks & Tests

Use at least the following references:

• https://developer.android.com/topic/security/risks/hardcoded-cryptographic-secrets

When creating the corresponding tests, use the following areas to guide you:

• hardcoded keys used at runtime

MASTG v1 Refactoring:

If the risk has a MASVS v1 ID, you can use it to search for related tests in the MASTG and use them as input to define your risks and associated tests.

• MASTG-TEST-0062 - Testing Key Management (ios)
• MASTG-TEST-0013 - Testing Symmetric Cryptography (android)

Acceptance Criteria

• The risk has been created in the correct directory (risks/MASVS-CRYPTO/2-***-****/hardcoded-crypto-keys-usage/risk.md)
• The risk content follows the guidelines
• At least one GitHub Issue has been created for the corresponding tests (derived from "Modes of Introduction")
• The risk indicates the related MASTG v1 tests in its metadata.

[ScreaMy7]

I can work on this. Please assign this to me.

[ScreaMy7]

Hi @cpholguera,
Can you explain a bit more about test-cases derived from this risk and what the term "hardcoded keys used at runtime" means here?
We came up with two possible conclusions here, first could be the detection of API tokens and secrets hardcoded in the code and the second conclusion could be the detection of keys of the cryptographic algorithm.
Thanks,

[cpholguera]

@ScreaMy7 This comes from the original requirement MASVS 3.1 (MSTG-CRYPTO-1): "The app does not rely on symmetric cryptography with hardcoded keys as a sole method of encryption."

The fact that "sensitive data is hardcoded in the app package" should be covered by #2543 (which will include crypto keys, API keys and more).

This risk here is about the "use of Cryptographic Keys" specifically.

The tests should be pretty straightforward using as a base the existing MASTG v1 tests linked above. For example, the Android illustrates this case: https://mas.owasp.org/MASTG/tests/android/MASVS-CRYPTO/MASTG-TEST-0013/

So basically the work to be done here is:

• Create a risk (generic about the risk)
• Create a test for Android (mentioning specific Android crypto APIs)
  • Create one example for the static test
  • Create one example for the dynamic test
• Create a test for iOS (mentioning specific iOS crypto APIs)
  • Create one example for the static test
  • Create one example for the dynamic test

Here are 2 existing risks including static and dynamic tests which you can use as a reference:

• Static / semgrep: risks/MASVS-CRYPTO/1-strong-crypto/insecure-random/
• Dynamic / frida-trace: risks/MASVS-STORAGE/2-prevent-data-leakage/data-in-logs

Guidelines: https://docs.google.com/document/d/1EMsVdfrDBAu0gmjWAUEs60q-fWaOmDB5oecY9d9pOlg/edit?usp=sharing