-
-
Notifications
You must be signed in to change notification settings - Fork 2.3k
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Deprecate [MASWE-0013] and add [MASTG-TEST-0210] and [MASTG-DEMO-0015…
…] Hardcoded Cryptographic Keys in Code (by appknox) (#2869) * closes 2577 * fix spelling * rm rule for ios * Deprecate weakness MASWE-0013 * Update title for MASTG-TEST-0210 to include "in Code" * added the android test case * Apply suggestions from code review --------- Co-authored-by: Carlos Holguera <[email protected]>
- Loading branch information
1 parent
2e75fea
commit ae2793a
Showing
8 changed files
with
154 additions
and
10 deletions.
There are no files selected for viewing
32 changes: 32 additions & 0 deletions
32
demos/android/MASVS-CRYPTO/MASTG-DEMO-0015/MASTG-DEMO-0015.md
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,32 @@ | ||
--- | ||
platform: android | ||
title: Use of Hardcoded AES Key in SecretKeySpec with semgrep | ||
tools: [semgrep] | ||
code: [java] | ||
--- | ||
|
||
### Sample | ||
|
||
{{ MastgTest.kt }} | ||
|
||
### Steps | ||
|
||
Let's run our @MASTG-TOOL-0110 rule against the sample code. | ||
|
||
{{ ../../../../rules/mastg-android-hardcoded-crypto-keys-usage.yaml }} | ||
|
||
{{ run.sh }} | ||
|
||
### Observation | ||
|
||
The rule has identified one instance in the code file where hardcoded keys is used. The specified line numbers can be located in the reverse-engineered code for further investigation and remediation. | ||
|
||
{{ output.txt }} | ||
|
||
### Evaluation | ||
|
||
The test fails because hardcoded cryptographic keys are present in the code. Specifically: | ||
|
||
- On line 24, a byte array that represents a cryptographic key is directly hardcoded into the source code. | ||
- This hardcoded key is then used on line 26 to create a `SecretKeySpec`. | ||
- Additionally, on line 30, another instance of hardcoded data is used to create a separate `SecretKeySpec`. |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,28 @@ | ||
package org.owasp.mastestapp | ||
|
||
import android.content.Context | ||
import javax.crypto.Cipher | ||
import javax.crypto.SecretKey | ||
import javax.crypto.spec.SecretKeySpec | ||
import android.util.Base64 | ||
|
||
class MastgTest(private val context: Context) { | ||
|
||
fun mastgTest(): String { | ||
|
||
// Bad: Use of a hardcoded key (from bytes) for encryption | ||
val keyBytes = byteArrayOf(0x6C, 0x61, 0x6B, 0x64, 0x73, 0x6C, 0x6A, 0x6B, 0x61, 0x6C, 0x6B, 0x6A, 0x6C, 0x6B, 0x6C, 0x73) // Example key bytes | ||
val cipher = Cipher.getInstance("AES/GCM/NoPadding") | ||
val secretKey = SecretKeySpec(keyBytes, "AES") | ||
cipher.init(Cipher.ENCRYPT_MODE, secretKey) | ||
|
||
// Bad: Hardcoded key directly in code (security risk) | ||
val badSecretKeySpec = SecretKeySpec("my secret here".toByteArray(), "AES") | ||
|
||
|
||
// Returning results | ||
return "SUCCESS!!\n\nThe keys were generated and used successfully with the following details:\n\n" + | ||
"Hardcoded AES Encryption Key: ${Base64.encodeToString(keyBytes, Base64.DEFAULT)}\n" + | ||
"Hardcoded Key from string: ${Base64.encodeToString(badSecretKeySpec.encoded, Base64.DEFAULT)}\n" | ||
} | ||
} |
33 changes: 33 additions & 0 deletions
33
demos/android/MASVS-CRYPTO/MASTG-DEMO-0015/MastgTest_reversed.java
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,33 @@ | ||
package org.owasp.mastestapp; | ||
|
||
import android.content.Context; | ||
import android.util.Base64; | ||
import javax.crypto.Cipher; | ||
import javax.crypto.spec.SecretKeySpec; | ||
import kotlin.Metadata; | ||
import kotlin.jvm.internal.Intrinsics; | ||
import kotlin.text.Charsets; | ||
|
||
/* compiled from: MastgTest.kt */ | ||
@Metadata(d1 = {"\u0000\u0018\n\u0002\u0018\u0002\n\u0002\u0010\u0000\n\u0000\n\u0002\u0018\u0002\n\u0002\b\u0002\n\u0002\u0010\u000e\n\u0000\b\u0007\u0018\u00002\u00020\u0001B\r\u0012\u0006\u0010\u0002\u001a\u00020\u0003¢\u0006\u0002\u0010\u0004J\u0006\u0010\u0005\u001a\u00020\u0006R\u000e\u0010\u0002\u001a\u00020\u0003X\u0082\u0004¢\u0006\u0002\n\u0000¨\u0006\u0007"}, d2 = {"Lorg/owasp/mastestapp/MastgTest;", "", "context", "Landroid/content/Context;", "(Landroid/content/Context;)V", "mastgTest", "", "app_debug"}, k = 1, mv = {1, 9, 0}, xi = 48) | ||
/* loaded from: classes4.dex */ | ||
public final class MastgTest { | ||
public static final int $stable = 8; | ||
private final Context context; | ||
|
||
public MastgTest(Context context) { | ||
Intrinsics.checkNotNullParameter(context, "context"); | ||
this.context = context; | ||
} | ||
|
||
public final String mastgTest() { | ||
byte[] keyBytes = {108, 97, 107, 100, 115, 108, 106, 107, 97, 108, 107, 106, 108, 107, 108, 115}; | ||
Cipher cipher = Cipher.getInstance("AES/GCM/NoPadding"); | ||
SecretKeySpec secretKey = new SecretKeySpec(keyBytes, "AES"); | ||
cipher.init(1, secretKey); | ||
byte[] bytes = "my secret here".getBytes(Charsets.UTF_8); | ||
Intrinsics.checkNotNullExpressionValue(bytes, "this as java.lang.String).getBytes(charset)"); | ||
SecretKeySpec badSecretKeySpec = new SecretKeySpec(bytes, "AES"); | ||
return "SUCCESS!!\n\nThe keys were generated and used successfully with the following details:\n\nHardcoded AES Encryption Key: " + Base64.encodeToString(keyBytes, 0) + "\nHardcoded Key from string: " + Base64.encodeToString(badSecretKeySpec.getEncoded(), 0) + '\n'; | ||
} | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,18 @@ | ||
|
||
|
||
┌─────────────────┐ | ||
│ 3 Code Findings │ | ||
└─────────────────┘ | ||
|
||
MastgTest_reversed.java | ||
❯❯❱ hardcoded-crypto-key-test | ||
Hardcoded cryptographic keys are found in use. | ||
|
||
24┆ byte[] keyBytes = {108, 97, 107, 100, 115, 108, 106, 107, 97, 108, 107, 106, 108, 107, 108, | ||
115}; | ||
25┆ Cipher cipher = Cipher.getInstance("AES/GCM/NoPadding"); | ||
26┆ SecretKeySpec secretKey = new SecretKeySpec(keyBytes, "AES"); | ||
⋮┆---------------------------------------- | ||
26┆ SecretKeySpec secretKey = new SecretKeySpec(keyBytes, "AES"); | ||
⋮┆---------------------------------------- | ||
30┆ SecretKeySpec badSecretKeySpec = new SecretKeySpec(bytes, "AES"); |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1 @@ | ||
NO_COLOR=true semgrep -c ../../../../rules/mastg-android-hardcoded-crypto-keys-usage.yml ./MastgTest_reversed.java --text -o output.txt |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,14 @@ | ||
rules: | ||
- id: mastg-android-hardcoded-crypto-keys-usage | ||
severity: WARNING | ||
languages: | ||
- java | ||
metadata: | ||
summary: This rule looks for hardcoded keys in use. | ||
message: "[MASVS-CRYPTO-1] Hardcoded cryptographic keys found in use." | ||
pattern-either: | ||
- pattern: SecretKeySpec $_ = new SecretKeySpec($KEY, $ALGO); | ||
- pattern: |- | ||
byte[] $KEY = {...}; | ||
... | ||
new SecretKeySpec($KEY, $ALGO); |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,23 @@ | ||
--- | ||
title: Use of Hardcoded Cryptographic Keys in Code | ||
platform: android | ||
id: MASTG-TEST-0210 | ||
type: [static] | ||
weakness: MASWE-0014 | ||
--- | ||
|
||
## Overview | ||
|
||
In this test case, we will look for the use of hardcoded keys in Android applications. To do this, we need to focus on the cryptographic implementations of hardcoded keys. The Java Cryptography Architecture (JCA) provides the [`SecretKeySpec`](https://developer.android.com/reference/javax/crypto/spec/SecretKeySpec) class, which allows you to create a [`SecretKey`](https://developer.android.com/reference/javax/crypto/SecretKey) from a byte array. | ||
|
||
## Steps | ||
|
||
1. Run a static analysis tool such as @MASTG-TOOL-0110 on the code and look for uses of the hardcoded cryptographic keys. | ||
|
||
## Observation | ||
|
||
The output should contain a list of locations where hardcoded keys are used. | ||
|
||
## Evaluation | ||
|
||
The test case fails if you find any hardcoded keys. |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters