New Risk - Potentially Weak Cryptography Implementations [potentially-weak-crypto-impl]

[cpholguera]

Description

Create a new risk for "Potentially Weak Cryptography Implementations (MASVS-CRYPTO-1)" using the following information:

Don't use outdated or known weak implementations and don't build your own cryptography. Using custom cryptography instead of relying on established, expert-designed APIs or certified modules exposes apps to vulnerabilities due to potential implementation flaws and lack of rigorous security review.

Create "risks/MASVS-CRYPTO/1-***-****/potentially-weak-crypto-impl/risk.md" including the following content:

---
title: Potentially Weak Cryptography Implementations
alias: potentially-weak-crypto-impl
platform: [android, ios]
profiles: [L2]
mappings:
  masvs-v1: [MSTG-CRYPTO-2]
  masvs-v2: [MASVS-CRYPTO-1, MASVS-CODE-3]
  mastg-v1: [MASTG-TEST-0061, MASTG-TEST-0014]

---

## Overview

## Impact

## Modes of Introduction

## Mitigations

To complete the sections follow the guidelines from Writing MASTG Risks & Tests

Use at least the following references:

• https://cwe.mitre.org/data/definitions/1240.html
• https://cwe.mitre.org/data/definitions/327.html
• https://developer.android.com/reference/javax/crypto/Cipher#getInstance(java.lang.String)
• https://developer.android.com/privacy-and-security/security-gms-provider
• https://developer.android.com/privacy-and-security/cryptography#bc-algorithms
• https://developer.android.com/privacy-and-security/cryptography#jetpack_security_crypto_library
• https://developer.android.com/privacy-and-security/cryptography#crypto_provider
• https://developer.android.com/privacy-and-security/cryptography#deprecated-functionality
• https://www.bsi.bund.de/SharedDocs/Downloads/EN/BSI/Publications/TechGuidelines/TG02102/BSI-TR-02102-1.pdf?__blob=publicationFile

When creating the corresponding tests, use the following areas to guide you:

• platform-provided cryptographic APIs (e.g. conscrypt/CryptoKit)
• custom-made cryptographic APIs (e.g. via xor, bit flipping, etc. or cryptographic constants or values such as sbox, etc.)
• custom algorithms, primitives, protocols
• specify Cipher.getInstance provider (Android)
• Android Security Provider (Android)
• Jetpack Security Crypto Library (Android)
• BoucyCastle algorithms (Android)

MASTG v1 Refactoring:

If the risk has a MASVS v1 ID, you can use it to search for related tests in the MASTG and use them as input to define your risks and associated tests.

• MASTG-TEST-0061 - Verifying the Configuration of Cryptographic Standard Algorithms (ios)
• MASTG-TEST-0014 - Testing the Configuration of Cryptographic Standard Algorithms (android)

Acceptance Criteria

• The risk has been created in the correct directory (risks/MASVS-CRYPTO/1-***-****/potentially-weak-crypto-impl/risk.md)
• The risk content follows the guidelines
• At least one GitHub Issue has been created for the corresponding tests (derived from "Modes of Introduction")
• The risk indicates the related MASTG v1 tests in its metadata.