Recorded calls to Crypto API

Recorded calls to Crypto API

Risk: info

Description

List of all calls to cryptographic methods.

Recommendation

Do not use insecure or weak cryptographic algorithms. For example, the Data Encryption Standard (DES) encryption algorithm is considered highly insecure

Do not use Object.equals() to compare cryptographic keys.

Cryptographic keys should never be serialized.

Links

• SER03-J. Do not serialize unencrypted sensitive data (CERT Secure Coding)
• DRD18. Do not use the default behavior in a cryptographic library if it does not use recommended practices (CERT Secure Coding)

Standards

• OWASP_MASVS_L1:
  • MSTG_CRYPTO_1
  • MSTG_CRYPTO_2
  • MSTG_CRYPTO_3
  • MSTG_CRYPTO_4
  • MSTG_CRYPTO_5
  • MSTG_CRYPTO_6
• OWASP_MASVS_L2:
  • MSTG_CRYPTO_1
  • MSTG_CRYPTO_2
  • MSTG_CRYPTO_3
  • MSTG_CRYPTO_4
  • MSTG_CRYPTO_5
  • MSTG_CRYPTO_6