Cryptographic Vulnerability: Hardcoded Key
Cryptographic Vulnerability: Hardcoded Key
Description
The main purpose of encrypting and decrypting data is to guarantee the confidentiality of the information and prevent the third parties from viewing private data. Pre-shared keys may be used when working with large data sets or to protect the confidentiality of an application’s or a user’s assets. However, the usage of a hardcoded key increases the possibility of an attacker to decrypt and recover the data in case of a stolen device
Recommendation
To ensure proper encryption of sensitive data:
- Keys must be unique to the device and may use input from the user to compute the key.
- When generating a key from password, use salt.
- When generating a key from password, specify an appropriate hash iteration count.
- Use a key of length sufficient to guarantee this strength of encryption.
Links
Standards
- OWASP_MASVS_L1:
- MSTG_CRYPTO_1
- OWASP_MASVS_L2:
- MSTG_CRYPTO_1