From fe8af196a8816866457324eb75af6b8b108da4cd Mon Sep 17 00:00:00 2001
From: ScreaM <70141504+ScreaMy7@users.noreply.github.com>
Date: Tue, 3 Sep 2024 12:08:17 +0530
Subject: [PATCH] added the android test case

---
 .../MASTG-DEMO-0015/MastgTest_reversed.java   | 33 +++++++++++++++++++
 .../MASVS-CRYPTO/MASTG-DEMO-0015/output.txt   | 17 ++++++++++
 .../MASVS-CRYPTO/MASTG-DEMO-0015/run.sh       |  2 +-
 ...tg-android-hardcoded-crypto-keys-usage.yml | 20 +++++------
 .../android/MASVS-CRYPTO/MASTG-TEST-0210.md   | 11 ++++---
 5 files changed, 68 insertions(+), 15 deletions(-)
 create mode 100644 demos/android/MASVS-CRYPTO/MASTG-DEMO-0015/MastgTest_reversed.java

diff --git a/demos/android/MASVS-CRYPTO/MASTG-DEMO-0015/MastgTest_reversed.java b/demos/android/MASVS-CRYPTO/MASTG-DEMO-0015/MastgTest_reversed.java
new file mode 100644
index 0000000000..d0d580239a
--- /dev/null
+++ b/demos/android/MASVS-CRYPTO/MASTG-DEMO-0015/MastgTest_reversed.java
@@ -0,0 +1,33 @@
+package org.owasp.mastestapp;
+
+import android.content.Context;
+import android.util.Base64;
+import javax.crypto.Cipher;
+import javax.crypto.spec.SecretKeySpec;
+import kotlin.Metadata;
+import kotlin.jvm.internal.Intrinsics;
+import kotlin.text.Charsets;
+
+/* compiled from: MastgTest.kt */
+@Metadata(d1 = {"\u0000\u0018\n\u0002\u0018\u0002\n\u0002\u0010\u0000\n\u0000\n\u0002\u0018\u0002\n\u0002\b\u0002\n\u0002\u0010\u000e\n\u0000\b\u0007\u0018\u00002\u00020\u0001B\r\u0012\u0006\u0010\u0002\u001a\u00020\u0003¢\u0006\u0002\u0010\u0004J\u0006\u0010\u0005\u001a\u00020\u0006R\u000e\u0010\u0002\u001a\u00020\u0003X\u0082\u0004¢\u0006\u0002\n\u0000¨\u0006\u0007"}, d2 = {"Lorg/owasp/mastestapp/MastgTest;", "", "context", "Landroid/content/Context;", "(Landroid/content/Context;)V", "mastgTest", "", "app_debug"}, k = 1, mv = {1, 9, 0}, xi = 48)
+/* loaded from: classes4.dex */
+public final class MastgTest {
+    public static final int $stable = 8;
+    private final Context context;
+
+    public MastgTest(Context context) {
+        Intrinsics.checkNotNullParameter(context, "context");
+        this.context = context;
+    }
+
+    public final String mastgTest() {
+        byte[] keyBytes = {108, 97, 107, 100, 115, 108, 106, 107, 97, 108, 107, 106, 108, 107, 108, 115};
+        Cipher cipher = Cipher.getInstance("AES/GCM/NoPadding");
+        SecretKeySpec secretKey = new SecretKeySpec(keyBytes, "AES");
+        cipher.init(1, secretKey);
+        byte[] bytes = "my secret here".getBytes(Charsets.UTF_8);
+        Intrinsics.checkNotNullExpressionValue(bytes, "this as java.lang.String).getBytes(charset)");
+        SecretKeySpec badSecretKeySpec = new SecretKeySpec(bytes, "AES");
+        return "SUCCESS!!\n\nThe keys were generated and used successfully with the following details:\n\nHardcoded AES Encryption Key: " + Base64.encodeToString(keyBytes, 0) + "\nHardcoded Key from string: " + Base64.encodeToString(badSecretKeySpec.getEncoded(), 0) + '\n';
+    }
+}
diff --git a/demos/android/MASVS-CRYPTO/MASTG-DEMO-0015/output.txt b/demos/android/MASVS-CRYPTO/MASTG-DEMO-0015/output.txt
index 0dca766eb7..21583e021d 100644
--- a/demos/android/MASVS-CRYPTO/MASTG-DEMO-0015/output.txt
+++ b/demos/android/MASVS-CRYPTO/MASTG-DEMO-0015/output.txt
@@ -1 +1,18 @@
+                      
                    
+┌─────────────────┐
+│ 3 Code Findings │
+└─────────────────┘
+                                          
+    MastgTest_reversed.java
+   ❯❯❱ hardcoded-crypto-key-test
+          Hardcoded cryptographic keys are found in use.
+                                                        
+           24┆ byte[] keyBytes = {108, 97, 107, 100, 115, 108, 106, 107, 97, 108, 107, 106, 108, 107, 108,
+               115};                                                                                      
+           25┆ Cipher cipher = Cipher.getInstance("AES/GCM/NoPadding");
+           26┆ SecretKeySpec secretKey = new SecretKeySpec(keyBytes, "AES");
+            ⋮┆----------------------------------------
+           26┆ SecretKeySpec secretKey = new SecretKeySpec(keyBytes, "AES");
+            ⋮┆----------------------------------------
+           30┆ SecretKeySpec badSecretKeySpec = new SecretKeySpec(bytes, "AES");                
diff --git a/demos/android/MASVS-CRYPTO/MASTG-DEMO-0015/run.sh b/demos/android/MASVS-CRYPTO/MASTG-DEMO-0015/run.sh
index 1bede0f14b..62d4ea096f 100644
--- a/demos/android/MASVS-CRYPTO/MASTG-DEMO-0015/run.sh
+++ b/demos/android/MASVS-CRYPTO/MASTG-DEMO-0015/run.sh
@@ -1 +1 @@
- semgrep -c ../rules/mastg-android-hardcoded-crypto-keys-usage.yml ./hardcoded-key-in-use.java --text -o output.txt  
\ No newline at end of file
+ semgrep -c ../rules/mastg-android-hardcoded-crypto-keys-usage.yml ./MastgTest_reversed.java --text -o output.txt  
\ No newline at end of file
diff --git a/rules/mastg-android-hardcoded-crypto-keys-usage.yml b/rules/mastg-android-hardcoded-crypto-keys-usage.yml
index 2bdccf5857..c524779aef 100644
--- a/rules/mastg-android-hardcoded-crypto-keys-usage.yml
+++ b/rules/mastg-android-hardcoded-crypto-keys-usage.yml
@@ -1,14 +1,14 @@
 rules:
   - id: hardcoded-crypto-key-test
-    pattern-either:
-      - pattern: |
-          new SecretKeySpec($KEY.getBytes(), $ALGO)
-      - pattern: |
-            byte[] $KEY = "...".getBytes();
-            ...
-            new SecretKeySpec($KEY, $ALGO);
-    message: >-
-      Hardcoded cryptographic keys are found in use.
     languages:
       - java
-    severity: WARNING
\ No newline at end of file
+    severity: WARNING
+    metadata:
+      summary: This rule scans for hardcoded getting used.
+    message: Hardcoded cryptographic keys are found in use.
+    pattern-either:
+      - pattern: SecretKeySpec $_ = new SecretKeySpec($KEY, $ALGO);
+      - pattern: |-
+          byte[] $KEY = {...};
+          ...
+          new SecretKeySpec($KEY, $ALGO);
\ No newline at end of file
diff --git a/tests-beta/android/MASVS-CRYPTO/MASTG-TEST-0210.md b/tests-beta/android/MASVS-CRYPTO/MASTG-TEST-0210.md
index 9a7b11713d..c5aab4c2ae 100644
--- a/tests-beta/android/MASVS-CRYPTO/MASTG-TEST-0210.md
+++ b/tests-beta/android/MASVS-CRYPTO/MASTG-TEST-0210.md
@@ -8,16 +8,19 @@ weakness: MASWE-0014
 
 ## Overview
 
-The application appears to utilize a hardcoded key for its cryptographic implementations.
+In this test case, we will look for the use of hardcoded keys in android applications. To do this, we need to focus on the cryptographic implementations of hardcoded keys. The Java Cryptography Architecture (JCA) provides SecretKeySpec class which allows you to create a secret key from a byte array.
+
+[SecretKeySpec](https://developer.android.com/reference/javax/crypto/spec/SecretKeySpec)
+For more information, you can consult the MASTG section about [Static Analysis](https://mas.owasp.org/MASTG/tests/android/MASVS-CRYPTO/MASTG-TEST-0013/#overview)
 
 ## Steps
 
-1. Run a static analysis tool like semgrep on the code and look for uses of hardcoded keys getting used.
+1. Run a static analysis tool such as @MASTG-TOOL-0110 on the code and look for uses of the hardcoded cryptographic keys.
 
 ## Observation
 
-The output should contain a **list of locations where hardcoded keys are getting used** .
+The output should contain a list of locations where hardcoded keys are getting used.
 
 ## Evaluation
 
-The test case fails if you can find the hardcoded key is just stored and not used.
+The test case fails if you can find the hardcoded key is just stored and not used by the application