You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
The examples from
The examples from the original MASTG-TEST-0013 need to be adjusted as demos for the v2 MASTG-TEST-0x13 tests (#3033).
Original content
As an example we illustrate how to locate the use of a hardcoded encryption key. First disassemble and decompile (@MASTG-TECH-0017) the app to obtain Java code, e.g. by using @MASTG-TOOL-0018.
Now search the files for the usage of the SecretKeySpec class, e.g. by simply recursively grepping on them or using jadx search function:
grep -r "SecretKeySpec"
This will return all classes using the SecretKeySpec class. Now examine those files and trace which variables are used to pass the key material. The figure below shows the result of performing this assessment on a production ready application. We can clearly locate the use of a static encryption key that is hardcoded and initialized in the static byte array Encrypt.keyBytes.
Dynamic Analysis
You can use @MASTG-TECH-0033 on cryptographic methods to determine input / output values such as the keys that are being used. Monitor file system access while cryptographic operations are being performed to assess where key material is written to or read from. For example, monitor the file system by using the API monitor of @MASTG-TOOL-0037.
The text was updated successfully, but these errors were encountered:
The examples from
The examples from the original
MASTG-TEST-0013need to be adjusted as demos for the v2MASTG-TEST-0x13tests (#3033).Original content
As an example we illustrate how to locate the use of a hardcoded encryption key. First disassemble and decompile (@MASTG-TECH-0017) the app to obtain Java code, e.g. by using @MASTG-TOOL-0018.
Now search the files for the usage of the
SecretKeySpecclass, e.g. by simply recursively grepping on them or using jadx search function:grep -r "SecretKeySpec"This will return all classes using the
SecretKeySpecclass. Now examine those files and trace which variables are used to pass the key material. The figure below shows the result of performing this assessment on a production ready application. We can clearly locate the use of a static encryption key that is hardcoded and initialized in the static byte arrayEncrypt.keyBytes.Dynamic Analysis
You can use @MASTG-TECH-0033 on cryptographic methods to determine input / output values such as the keys that are being used. Monitor file system access while cryptographic operations are being performed to assess where key material is written to or read from. For example, monitor the file system by using the API monitor of @MASTG-TOOL-0037.
The text was updated successfully, but these errors were encountered: