MSTG-CRYPTO-1: Only symmetric cryptography? #574

daMatz · 2021-04-22T12:29:03Z

daMatz
Apr 22, 2021

MSTG-CRYPTO-1 states:

The app does not rely on symmetric cryptography with hardcoded keys as a sole method of encryption.

I figure that they idea is, that when a symmetric key is hardcoded on the device, the attacker has access to it and can decrypt sensitive data.

When asymmetric cryptography is used, normally just the public key resides on the client side.

But technically the scenario, when data is asymmetrically encrpyted and the public and private key are hardcoded on the device, the impact would be the same as for symmetric cryptography but the test case would technically allow this broken scenario.

I would suggest to expand the requirement to:

The app does not rely on cryptography with hardcoded keys as a sole method of encryption.

Answered by cpholguera

Dec 16, 2021

This is considered in the new release of MASVS-CRYPTO (#612). Closing this discussion since we'll track the issue in the spreadsheet anyway.

View full answer

vixentael · 2021-11-16T19:13:04Z

vixentael
Nov 16, 2021

very much +1 to this proposal

0 replies

cpholguera · 2021-12-16T10:23:28Z

cpholguera
Dec 16, 2021
Maintainer

This is considered in the new release of MASVS-CRYPTO (#612). Closing this discussion since we'll track the issue in the spreadsheet anyway.

0 replies

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

MSTG-CRYPTO-1: Only symmetric cryptography? #574

{{title}}

Replies: 2 comments

{{title}}

{{title}}

{{editor}}'s edit

{{editor}}'s edit

Select a reply

MSTG-CRYPTO-1: Only symmetric cryptography? #574

daMatz Apr 22, 2021

Replies: 2 comments

vixentael Nov 16, 2021

cpholguera Dec 16, 2021 Maintainer

daMatz
Apr 22, 2021

vixentael
Nov 16, 2021

cpholguera
Dec 16, 2021
Maintainer