Ports MASTG-TEST-0014 (by @guardsquare)

tests-beta/android/MASVS-CRYPTO/MASTG-TEST-0x14-21.md

@@ -0,0 +1,28 @@
+---
+platform: android
+title: Weak Hashing Algorithms
+id: MASTG-TEST-0x14-1
+type: [static, dynamic]
+weakness: MASWE-0021
+---
+
+## Overview
+
+When apps need to use hashing in security sensitive scenarios, it is important to not use [insecure or deprecated](../../../Document/0x04g-Testing-Cryptography.md#Identifying-Insecure-and/or-Deprecated-Cryptographic-Algorithms) algorithms.
+
+## Steps
+
+1. Run @MASTG-TECH-0014 with a tool such as @MASTG-TOOL-0110 on the app binary, or use @MASTG-TECH-0033 (dynamic analysis) with a tool like @MASTG-TOOL-0001, and identify all the uses of hash related APIs, such as [`MessageDigest.getInstance`](https://developer.android.com/reference/java/security/MessageDigest#getInstance(java.lang.String)), and the algorithm being used.
+
+## Observation
+
+The output should contain a list of locations where hashing is being used and the respective algorithms.
+
+## Evaluation
+
+The test case fails if you can find [insecure or deprecated](../../../Document/0x04g-Testing-Cryptography.md#Identifying-Insecure-and/or-Deprecated-Cryptographic-Algorithms) hashing algorithms being used in a security sensitive scenario.
+
+## References
+
+- [NIST - Hash Functions - Approved Algorithms](https://csrc.nist.gov/projects/hash-functions)
+- [Testing Cryptography](../../../Document/0x04g-Testing-Cryptography.md)

tests-beta/android/MASVS-CRYPTO/MASTG-TEST-0x14-22-1.md

@@ -0,0 +1,31 @@
+---
+platform: android
+title: Hardcoded Initialization Vectors
+id: MASTG-TEST-0x14-22-2
+type: [static, dynamic]
+weakness: MASWE-0022
+---
+
+## Overview
+
+Several block cipher modes require an [initialization vector (`IV`)](../../../Document/0x04g-Testing-Cryptography.md#Predictable-Initialization-Vector) as one of the initial input to the cipher.
+In general, the `IV` does not have to be kept secret, but it should not be reused or predictable.
+
+**Hardcoded initialization vectors** are the worst scenario and allow an attacker to easily defeat the purpose for which the encryption is being used.
+
+## Steps
+
+1. Run @MASTG-TECH-0014 with a tool such as @MASTG-TOOL-0110 on the app binary, or use @MASTG-TECH-0033 (dynamic analysis) with a tool like @MASTG-TOOL-0001, and identify all uses of classes implementing [AlgorithmParameterSpec](https://developer.android.com/reference/java/security/spec/AlgorithmParameterSpec), such as [IvParameterSpec](https://developer.android.com/reference/javax/crypto/spec/IvParameterSpec), [GCMParameterSpec](https://developer.android.com/reference/javax/crypto/spec/GCMParameterSpec), etc.
+1. Track all the posterior uses of the identified objects.
+
+## Observation
+
+The output should contain a list of locations where `AlgorithmParameterSpec` objects were created and used.
+
+## Evaluation
+
+The test case fails if you can find `AlgorithmParameterSpec` objects being created with hardcoded data and then used to initialize a `Cipher`.
+
+## References
+
+- [Testing Cryptography](../../../Document/0x04g-Testing-Cryptography.md)

tests-beta/android/MASVS-CRYPTO/MASTG-TEST-0x14-22-2.md

@@ -0,0 +1,34 @@
+---
+platform: android
+title: Reused Initialization Vectors
+id: MASTG-TEST-0x14-22-1
+type: [static, dynamic]
+weakness: MASWE-0022
+---
+
+## Overview
+
+Several block cipher modes require an [initialization vector (IV)](../../../Document/0x04g-Testing-Cryptography.md#Predictable-Initialization-Vector) as one of the initial input to the cipher.
+In general, the IV does not have to be kept secret, but it should not be reused or predictable.
+
+Reusing initialization vectors allow the attacker to recover the original message and in the case of some modes (e.g., `GCM`) allow [tampering with the encrypted messages](https://asecuritysite.com/golang/go_reuseiv).
+
+## Steps
+
+1. Run @MASTG-TECH-0014 with a tool such as @MASTG-TOOL-0110 on the app binary, or use @MASTG-TECH-0033 (dynamic analysis) with a tool like @MASTG-TOOL-0001, and identify all uses of classes implementing [AlgorithmParameterSpec](https://developer.android.com/reference/java/security/spec/AlgorithmParameterSpec), such as [IvParameterSpec](https://developer.android.com/reference/javax/crypto/spec/IvParameterSpec), [GCMParameterSpec](https://developer.android.com/reference/javax/crypto/spec/GCMParameterSpec), etc.
+1. Track all the posterior uses of the identified objects.
+
+## Observation
+
+The output should contain a list of locations where `AlgorithmParameterSpec` objects were created and used.
+
+## Evaluation
+
+The test case fails if you observe at least one of the following:
+
+- you can find the multiple `AlgorithmParameterSpec` objects created with the same data, and each then used to initialize its `Cipher`.
+- you can find the same `AlgorithmParameterSpec` object used to initialize multiple `Cipher`s.
+
+## References
+
+- [Testing Cryptography](../../../Document/0x04g-Testing-Cryptography.md)

tests-beta/android/MASVS-CRYPTO/MASTG-TEST-0x14-22-3.md

@@ -0,0 +1,31 @@
+---
+platform: android
+title: Predictable Initialization Vectors
+id: MASTG-TEST-0x14-22-3
+type: [static, dynamic]
+weakness: MASWE-0022
+---
+
+## Overview
+
+Several block cipher modes require an [initialization vector (IV)](../../../Document/0x04g-Testing-Cryptography.md#Predictable-Initialization-Vector) as one of the initial input to the cipher.
+In general, the IV does not have to be kept secret, but it should not be reused or predictable.
+
+Predictable initialization vectors can allow the attackers to conduct [chosen plaintext attack](https://crypto.stackexchange.com/a/18401), and therefore should be avoided in security sensitive scenarios.
+
+## Steps
+
+1. Run @MASTG-TECH-0014 with a tool such as @MASTG-TOOL-0110 on the app binary, or use @MASTG-TECH-0033 (dynamic analysis) with a tool like @MASTG-TOOL-0001, and identify all uses of classes implementing [AlgorithmParameterSpec](https://developer.android.com/reference/java/security/spec/AlgorithmParameterSpec), such as [IvParameterSpec](https://developer.android.com/reference/javax/crypto/spec/IvParameterSpec), [GCMParameterSpec](https://developer.android.com/reference/javax/crypto/spec/GCMParameterSpec), etc.
+1. Track all the posterior uses of the identified objects.
+
+## Observation
+
+The output should contain a list of locations where `AlgorithmParameterSpec` objects were created and used.
+
+## Evaluation
+
+The test case fails if you can find `AlgorithmParameterSpec` objects being created with weak or deterministic random generator and then used to initialize a `Cipher` that is used in a security sensitive scenario.
+
+## References
+
+- [Testing Cryptography](../../../Document/0x04g-Testing-Cryptography.md)

tests-beta/android/MASVS-CRYPTO/MASTG-TEST-0x14-23.md

@@ -0,0 +1,40 @@
+---
+platform: android
+title: Weak Padding
+id: MASTG-TEST-0x14-23
+type: [static, dynamic]
+weakness: MASWE-0023
+---
+
+## Overview
+
+The cipher padding used in a security sensitive context should be carefully selected, otherwise it can be used to compromise the confidentiality, integrity and authenticity of the encrypted data.
+
+In the case of symmetric block ciphers, a secure padding scheme is used to prevent that the last block is not filled data that could be exploited by the adversary.
+In the case of asymmetric encryption (e.g., `RSA`), padding scheme is required to prevent deterministic encryption, i.e., that a specific plaintext always results in the same ciphertext.
+
+Check the [documentation on attacks against padding](../../../Document/0x04g-Testing-Cryptography.md#Padding-Oracle-Attacks-due-to-Weaker-Padding-or-Block-Operation-Implementations) for more complete examples.
+
+There are exceptions to this, as is the case of the [android recommended cipher](https://developer.android.com/privacy-and-security/cryptography#choose-algorithm) `AES/GCM/NoPadding`, in which `GCM` mode uses part of the authentication tag as padding for the blocks.
+
+## Steps
+
+1. Run @MASTG-TECH-0014 with a tool such as @MASTG-TOOL-0110 on the app binary, or use @MASTG-TECH-0033 (dynamic analysis) with a tool like @MASTG-TOOL-0001, and identify all the uses of encryption related APIs, such as [`Cipher.getInstance`](https://developer.android.com/reference/javax/crypto/Cipher#getInstance(java.lang.String)), and the first argument (`transformation`) being used.
+
+## Observation
+
+The output should contain a list of locations where a `Cipher` is being created and the text of the respective `transformation`.
+
+## Evaluation
+
+The test case fails if you can find at least one `Cipher` defined with a `transformation` whose [padding scheme is not adequate](../../../Document/0x04g-Testing-Cryptography.md#Identifying-Insecure-and/or-Deprecated-Cryptographic-Algorithms) to the algorithm and mode, and such `Cipher` is used in a security sensitive context.
+
+- If you are using `RSA` algorithm, you are required to use `OAEPPadding` (or one of its versions);
+- Otherwise, weak padding such as NoPadding, ZeroPadding, etc. should be avoided unless you are sure that is secure for that specific combination (e.g., as is the case for `AES/GCM/NoPadding`).
+
+Check the documentation for [specific recommendation on padding schemes to use](../../../Document/0x04g-Testing-Cryptography.md#Identifying-Insecure-and/or-Deprecated-Cryptographic-Algorithms).
+
+## References
+
+- [Testing Cryptography](../../../Document/0x04g-Testing-Cryptography.md)
+- [Cryptographic Mechanisms: Recommendations and Key Lengths](https://www.bsi.bund.de/SharedDocs/Downloads/EN/BSI/Publications/TechGuidelines/TG02102/BSI-TR-02102-1.pdf?__blob=publicationFile)

tests-beta/android/MASVS-CRYPTO/MASTG-TEST-0x14-24.md

@@ -0,0 +1,51 @@
+---
+platform: android
+title: Weak Message Authentication Codes (MAC) Algorithms
+id: MASTG-TEST-0x14
+type: [static, dynamic]
+weakness: MASWE-0024	
+---
+
+## Overview
+
+When apps need to use hashing in security sensitive scenarios, appropriate algorithms should be used.
+
+--  MASTG-TEST-0014 -- 
+Identify all the instances of the cryptographic primitives in code. Identify all custom cryptography implementations. You can look for:
+
+- classes `Cipher`, `Mac`, `MessageDigest`, `Signature`
+- interfaces `Key`, `PrivateKey`, `PublicKey`, `SecretKey`
+- functions `getInstance`, `generateKey`
+- exceptions `KeyStoreException`, `CertificateException`, `NoSuchAlgorithmException`
+- classes which uses `java.security.*`, `javax.crypto.*`, `android.security.*` and `android.security.keystore.*` packages.
+
+Identify that all calls to getInstance use default `provider` of security services by not specifying it (it means AndroidOpenSSL aka Conscrypt). `Provider` can only be specified in `KeyStore` related code (in that situation `KeyStore` should be provided as `provider`). If other `provider` is specified it should be verified according to situation and business case (i.e. Android API version), and `provider` should be examined against potential vulnerabilities.  
+
+Ensure that the best practices outlined in the "[Cryptography for Mobile Apps](../../../Document/0x04g-Testing-Cryptography.md)" chapter are followed. Look at [insecure and deprecated algorithms](../../../Document/0x04g-Testing-Cryptography.md#identifying-insecure-andor-deprecated-cryptographic-algorithms) and [common configuration issues](../../../Document/0x04g-Testing-Cryptography.md#common-configuration-issues).
+
+#### Dynamic Analysis
+
+You can use @MASTG-TECH-0033 on cryptographic methods to determine input / output values such as the keys that are being used. Monitor file system access while cryptographic operations are being performed to assess where key material is written to or read from. For example, monitor the file system by using the [API monitor](https://github.com/m0bilesecurity/RMS-Runtime-Mobile-Security#8-api-monitor---android-only) of @MASTG-TOOL-0037.
+
+
+
+
+When apps need to use hashing in security sensitive scenarios, it is important to not use [insecure or deprecated](../../../Document/0x04g-Testing-Cryptography.md#Identifying-Insecure-and/or-Deprecated-Cryptographic-Algorithms) algorithms.
+
+
+## Steps
+
+1. Run @MASTG-TECH-0014 with a tool such as @MASTG-TOOL-0110 on the app binary, or use @MASTG-TECH-0033 (dynamic analysis) with a tool like @MASTG-TOOL-0001, and identify all the uses of hash related APIs, such as [`MessageDigest.getInstance`](https://developer.android.com/reference/java/security/MessageDigest#getInstance(java.lang.String)), and the algorithm being used.
+
+## Observation
+
+The output should contain a list of locations where hashing is being used and the respective algorithms.
+
+## Evaluation
+
+The test case fails if you can find [insecure or deprecated](../../../Document/0x04g-Testing-Cryptography.md#Identifying-Insecure-and/or-Deprecated-Cryptographic-Algorithms) hashing algorithms being used in a security sensitive scenario.
+
+## References
+
+- [NIST - Hash Functions - Approved Algorithms](https://csrc.nist.gov/projects/hash-functions)
+- [Testing Cryptography](../../../Document/0x04g-Testing-Cryptography.md)

tests-beta/android/MASVS-CRYPTO/MASTG-TEST-0x14-25.md

@@ -0,0 +1,53 @@
+---
+platform: android
+title: Weak Signature Algorithms
+id: MASTG-TEST-0x14
+type: [static, dynamic]
+weakness: MASWE-0025	
+---
+
+## Overview
+
+The use of weak signature such as SHA1withRSA, etc. in a security sensitive context should be avoided to ensure the integrity and authenticity of the data.
+
+
+
+--  MASTG-TEST-0014 -- 
+Identify all the instances of the cryptographic primitives in code. Identify all custom cryptography implementations. You can look for:
+
+- classes `Cipher`, `Mac`, `MessageDigest`, `Signature`
+- interfaces `Key`, `PrivateKey`, `PublicKey`, `SecretKey`
+- functions `getInstance`, `generateKey`
+- exceptions `KeyStoreException`, `CertificateException`, `NoSuchAlgorithmException`
+- classes which uses `java.security.*`, `javax.crypto.*`, `android.security.*` and `android.security.keystore.*` packages.
+
+Identify that all calls to getInstance use default `provider` of security services by not specifying it (it means AndroidOpenSSL aka Conscrypt). `Provider` can only be specified in `KeyStore` related code (in that situation `KeyStore` should be provided as `provider`). If other `provider` is specified it should be verified according to situation and business case (i.e. Android API version), and `provider` should be examined against potential vulnerabilities.  
+
+Ensure that the best practices outlined in the "[Cryptography for Mobile Apps](../../../Document/0x04g-Testing-Cryptography.md)" chapter are followed. Look at [insecure and deprecated algorithms](../../../Document/0x04g-Testing-Cryptography.md#identifying-insecure-andor-deprecated-cryptographic-algorithms) and [common configuration issues](../../../Document/0x04g-Testing-Cryptography.md#common-configuration-issues).
+
+#### Dynamic Analysis
+
+You can use @MASTG-TECH-0033 on cryptographic methods to determine input / output values such as the keys that are being used. Monitor file system access while cryptographic operations are being performed to assess where key material is written to or read from. For example, monitor the file system by using the [API monitor](https://github.com/m0bilesecurity/RMS-Runtime-Mobile-Security#8-api-monitor---android-only) of @MASTG-TOOL-0037.
+
+
+
+
+When apps need to use hashing in security sensitive scenarios, it is important to not use [insecure or deprecated](../../../Document/0x04g-Testing-Cryptography.md#Identifying-Insecure-and/or-Deprecated-Cryptographic-Algorithms) algorithms.
+
+
+## Steps
+
+1. Run @MASTG-TECH-0014 with a tool such as @MASTG-TOOL-0110 on the app binary, or use @MASTG-TECH-0033 (dynamic analysis) with a tool like @MASTG-TOOL-0001, and identify all the uses of hash related APIs, such as [`MessageDigest.getInstance`](https://developer.android.com/reference/java/security/MessageDigest#getInstance(java.lang.String)), and the algorithm being used.
+
+## Observation
+
+The output should contain a list of locations where hashing is being used and the respective algorithms.
+
+## Evaluation
+
+The test case fails if you can find [insecure or deprecated](../../../Document/0x04g-Testing-Cryptography.md#Identifying-Insecure-and/or-Deprecated-Cryptographic-Algorithms) hashing algorithms being used in a security sensitive scenario.
+
+## References
+
+- [NIST - Hash Functions - Approved Algorithms](https://csrc.nist.gov/projects/hash-functions)
+- [Testing Cryptography](../../../Document/0x04g-Testing-Cryptography.md)

tests-beta/android/MASVS-CRYPTO/MASTG-TEST-0x14-26.md

@@ -0,0 +1,51 @@
+---
+platform: android
+title: Improper Verification of Cryptographic Signature
+id: MASTG-TEST-0x14
+type: [static, dynamic]
+weakness: MASWE-0026
+---
+
+## Overview
+
+When apps need to use hashing in security sensitive scenarios, appropriate algorithms should be used.
+
+--  MASTG-TEST-0014 -- 
+Identify all the instances of the cryptographic primitives in code. Identify all custom cryptography implementations. You can look for:
+
+- classes `Cipher`, `Mac`, `MessageDigest`, `Signature`
+- interfaces `Key`, `PrivateKey`, `PublicKey`, `SecretKey`
+- functions `getInstance`, `generateKey`
+- exceptions `KeyStoreException`, `CertificateException`, `NoSuchAlgorithmException`
+- classes which uses `java.security.*`, `javax.crypto.*`, `android.security.*` and `android.security.keystore.*` packages.
+
+Identify that all calls to getInstance use default `provider` of security services by not specifying it (it means AndroidOpenSSL aka Conscrypt). `Provider` can only be specified in `KeyStore` related code (in that situation `KeyStore` should be provided as `provider`). If other `provider` is specified it should be verified according to situation and business case (i.e. Android API version), and `provider` should be examined against potential vulnerabilities.  
+
+Ensure that the best practices outlined in the "[Cryptography for Mobile Apps](../../../Document/0x04g-Testing-Cryptography.md)" chapter are followed. Look at [insecure and deprecated algorithms](../../../Document/0x04g-Testing-Cryptography.md#identifying-insecure-andor-deprecated-cryptographic-algorithms) and [common configuration issues](../../../Document/0x04g-Testing-Cryptography.md#common-configuration-issues).
+
+#### Dynamic Analysis
+
+You can use @MASTG-TECH-0033 on cryptographic methods to determine input / output values such as the keys that are being used. Monitor file system access while cryptographic operations are being performed to assess where key material is written to or read from. For example, monitor the file system by using the [API monitor](https://github.com/m0bilesecurity/RMS-Runtime-Mobile-Security#8-api-monitor---android-only) of @MASTG-TOOL-0037.
+
+
+
+
+When apps need to use hashing in security sensitive scenarios, it is important to not use [insecure or deprecated](../../../Document/0x04g-Testing-Cryptography.md#Identifying-Insecure-and/or-Deprecated-Cryptographic-Algorithms) algorithms.
+
+
+## Steps
+
+1. Run @MASTG-TECH-0014 with a tool such as @MASTG-TOOL-0110 on the app binary, or use @MASTG-TECH-0033 (dynamic analysis) with a tool like @MASTG-TOOL-0001, and identify all the uses of hash related APIs, such as [`MessageDigest.getInstance`](https://developer.android.com/reference/java/security/MessageDigest#getInstance(java.lang.String)), and the algorithm being used.
+
+## Observation
+
+The output should contain a list of locations where hashing is being used and the respective algorithms.
+
+## Evaluation
+
+The test case fails if you can find [insecure or deprecated](../../../Document/0x04g-Testing-Cryptography.md#Identifying-Insecure-and/or-Deprecated-Cryptographic-Algorithms) hashing algorithms being used in a security sensitive scenario.
+
+## References
+
+- [NIST - Hash Functions - Approved Algorithms](https://csrc.nist.gov/projects/hash-functions)
+- [Testing Cryptography](../../../Document/0x04g-Testing-Cryptography.md)

tests/android/MASVS-CRYPTO/MASTG-TEST-0014.md

@@ -10,6 +10,9 @@ title: Testing the Configuration of Cryptographic Standard Algorithms
 masvs_v1_levels:
 - L1
 - L2
+status: deprecated
+covered_by: ['MASTG-TEST-0x14-21', 'MASTG-TEST-0x14-22', 'MASTG-TEST-0x14-23', 'MASTG-TEST-0x14-24', 'MASTG-TEST-0x14-25', 'MASTG-TEST-0x14-26']
+deprecation_reason: New version available in MASTG V2
 ---
 
 ## Overview