Deprecate [MASWE-0013] and add [MASTG-TEST-0210] and [MASTG-DEMO-0015] Hardcoded Cryptographic Keys in Code (by appknox)

demos/android/MASVS-CRYPTO/MASTG-DEMO-0015/MASTG-DEMO-0015.md

@@ -0,0 +1,28 @@
+---
+platform: android
+title: Use of Hardcoded AES Key in SecretKeySpec with semgrep
+tools: [semgrep]
+code: [java]
+---
+
+### Sample
+
+{{ MastgTest.kt }}
+
+### Steps
+
+Let's run our @MASTG-TOOL-0110 rule against the sample code.
+
+{{ ../../../../rules/mastg-android-hardcoded-crypto-keys-usage.yaml }}
+
+{{ run.sh }}
+
+### Observation
+
+The rule has identified one instance in the code file where hardcoded keys is used. The specified line numbers can be located in the reverse-engineered code for further investigation and remediation.
+
+{{ output.txt }}
+
+### Evaluation
+
+The test fails because a hardcoded AES key was found in the code.

demos/android/MASVS-CRYPTO/MASTG-DEMO-0015/MastgTest.kt

@@ -0,0 +1,28 @@
+package org.owasp.mastestapp
+
+import android.content.Context
+import javax.crypto.Cipher
+import javax.crypto.SecretKey
+import javax.crypto.spec.SecretKeySpec
+import android.util.Base64
+
+class MastgTest(private val context: Context) {
+
+    fun mastgTest(): String {
+
+        // Bad: Use of a hardcoded key (from bytes) for encryption
+        val keyBytes = byteArrayOf(0x6C, 0x61, 0x6B, 0x64, 0x73, 0x6C, 0x6A, 0x6B, 0x61, 0x6C, 0x6B, 0x6A, 0x6C, 0x6B, 0x6C, 0x73) // Example key bytes
+        val cipher = Cipher.getInstance("AES/GCM/NoPadding")
+        val secretKey = SecretKeySpec(keyBytes, "AES")
+        cipher.init(Cipher.ENCRYPT_MODE, secretKey)
+
+        // Bad: Hardcoded key directly in code (security risk)
+        val badSecretKeySpec = SecretKeySpec("my secret here".toByteArray(), "AES")
+
+
+        // Returning results
+        return "SUCCESS!!\n\nThe keys were generated and used successfully with the following details:\n\n" +
+                "Hardcoded AES Encryption Key: ${Base64.encodeToString(keyBytes, Base64.DEFAULT)}\n" +
+                "Hardcoded Key from string: ${Base64.encodeToString(badSecretKeySpec.encoded, Base64.DEFAULT)}\n"
+    }
+}

demos/android/MASVS-CRYPTO/MASTG-DEMO-0015/MastgTest_reversed.java

@@ -0,0 +1,33 @@
+package org.owasp.mastestapp;
+
+import android.content.Context;
+import android.util.Base64;
+import javax.crypto.Cipher;
+import javax.crypto.spec.SecretKeySpec;
+import kotlin.Metadata;
+import kotlin.jvm.internal.Intrinsics;
+import kotlin.text.Charsets;
+
+/* compiled from: MastgTest.kt */
+@Metadata(d1 = {"\u0000\u0018\n\u0002\u0018\u0002\n\u0002\u0010\u0000\n\u0000\n\u0002\u0018\u0002\n\u0002\b\u0002\n\u0002\u0010\u000e\n\u0000\b\u0007\u0018\u00002\u00020\u0001B\r\u0012\u0006\u0010\u0002\u001a\u00020\u0003¢\u0006\u0002\u0010\u0004J\u0006\u0010\u0005\u001a\u00020\u0006R\u000e\u0010\u0002\u001a\u00020\u0003X\u0082\u0004¢\u0006\u0002\n\u0000¨\u0006\u0007"}, d2 = {"Lorg/owasp/mastestapp/MastgTest;", "", "context", "Landroid/content/Context;", "(Landroid/content/Context;)V", "mastgTest", "", "app_debug"}, k = 1, mv = {1, 9, 0}, xi = 48)
+/* loaded from: classes4.dex */
+public final class MastgTest {
+    public static final int $stable = 8;
+    private final Context context;
+
+    public MastgTest(Context context) {
+        Intrinsics.checkNotNullParameter(context, "context");
+        this.context = context;
+    }
+
+    public final String mastgTest() {
+        byte[] keyBytes = {108, 97, 107, 100, 115, 108, 106, 107, 97, 108, 107, 106, 108, 107, 108, 115};
+        Cipher cipher = Cipher.getInstance("AES/GCM/NoPadding");
+        SecretKeySpec secretKey = new SecretKeySpec(keyBytes, "AES");
+        cipher.init(1, secretKey);
+        byte[] bytes = "my secret here".getBytes(Charsets.UTF_8);
+        Intrinsics.checkNotNullExpressionValue(bytes, "this as java.lang.String).getBytes(charset)");
+        SecretKeySpec badSecretKeySpec = new SecretKeySpec(bytes, "AES");
+        return "SUCCESS!!\n\nThe keys were generated and used successfully with the following details:\n\nHardcoded AES Encryption Key: " + Base64.encodeToString(keyBytes, 0) + "\nHardcoded Key from string: " + Base64.encodeToString(badSecretKeySpec.getEncoded(), 0) + '\n';
+    }
+}

demos/android/MASVS-CRYPTO/MASTG-DEMO-0015/output.txt

@@ -0,0 +1,18 @@
+
+
+┌─────────────────┐
+│ 3 Code Findings │
+└─────────────────┘
+
+    MastgTest_reversed.java
+   ❯❯❱ hardcoded-crypto-key-test
+          Hardcoded cryptographic keys are found in use.
+
+           24┆ byte[] keyBytes = {108, 97, 107, 100, 115, 108, 106, 107, 97, 108, 107, 106, 108, 107, 108,
+               115};                                                                                      
+           25┆ Cipher cipher = Cipher.getInstance("AES/GCM/NoPadding");
+           26┆ SecretKeySpec secretKey = new SecretKeySpec(keyBytes, "AES");
+            ⋮┆----------------------------------------
+           26┆ SecretKeySpec secretKey = new SecretKeySpec(keyBytes, "AES");
+            ⋮┆----------------------------------------
+           30┆ SecretKeySpec badSecretKeySpec = new SecretKeySpec(bytes, "AES");                

demos/android/MASVS-CRYPTO/MASTG-DEMO-0015/run.sh

@@ -0,0 +1 @@
+ semgrep -c ../rules/mastg-android-hardcoded-crypto-keys-usage.yml ./MastgTest_reversed.java --text -o output.txt  

rules/mastg-android-hardcoded-crypto-keys-usage.yml

@@ -0,0 +1,14 @@
+rules:
+  - id: hardcoded-crypto-key-test
+    languages:
+      - java
+    severity: WARNING
+    metadata:
+      summary: This rule scans for hardcoded getting used.
+    message: Hardcoded cryptographic keys are found in use.
+    pattern-either:
+      - pattern: SecretKeySpec $_ = new SecretKeySpec($KEY, $ALGO);
+      - pattern: |-
+          byte[] $KEY = {...};
+          ...
+          new SecretKeySpec($KEY, $ALGO);

tests-beta/android/MASVS-CRYPTO/MASTG-TEST-0210.md

@@ -0,0 +1,26 @@
+---
+title: Use of Hardcoded Cryptographic Keys in Code
+platform: android
+id: MASTG-TEST-0210
+type: [static]
+weakness: MASWE-0014
+---
+
+## Overview
+
+In this test case, we will look for the use of hardcoded keys in android applications. To do this, we need to focus on the cryptographic implementations of hardcoded keys. The Java Cryptography Architecture (JCA) provides SecretKeySpec class which allows you to create a secret key from a byte array.
+
+[SecretKeySpec](https://developer.android.com/reference/javax/crypto/spec/SecretKeySpec)
+For more information, you can consult the MASTG section about [Static Analysis](https://mas.owasp.org/MASTG/tests/android/MASVS-CRYPTO/MASTG-TEST-0013/#overview)
+
+## Steps
+
+1. Run a static analysis tool such as @MASTG-TOOL-0110 on the code and look for uses of the hardcoded cryptographic keys.
+
+## Observation
+
+The output should contain a list of locations where hardcoded keys are getting used.
+
+## Evaluation
+
+The test case fails if you can find the hardcoded key is just stored and not used by the application

weaknesses/MASVS-CRYPTO/MASWE-0013.md

@@ -3,19 +3,14 @@ title: Hardcoded Cryptographic Keys in Use
 id: MASWE-0013
 alias: hardcoded-crypto-keys-usage
 platform: [android, ios]
-profiles: [L1, L2]
+profiles: []
 mappings:
   masvs-v1: [MSTG-CRYPTO-1]
   masvs-v2: [MASVS-CRYPTO-2]
+status: deprecated
+---
 
-refs:
-- https://developer.android.com/topic/security/risks/hardcoded-cryptographic-secrets
-draft:
-  description: One thing is to include hardcoded keys in the code, another is to use
-    them.
-  topics:
-  - hardcoded keys used at runtime
-status: draft
 
----
+!!! warning "Deprecated"
 
+    This weakness was deprecated in favor of @MASWE-0014 because of an overlap in the content.