M5: Insufficient Cryptography
Insecure use of cryptography in mobile apps can lead to privacy violations, code theft, and reputational damage. Prevent this vulnerability by following secure cryptographic standards and key management processes.
Overview
Insufficient Cryptography is a vulnerability that occurs when weak encryption algorithms or flaws in the encryption process are used, allowing unauthorized retrieval of sensitive information from a mobile device.
Description
Insecure use of cryptography is common in most mobile apps that leverage encryption. This vulnerability can result in privacy violations, information theft, code theft, intellectual property theft, or reputational damage. It can be manifested through reliance upon built-in code encryption processes or poor key management processes. It is important to avoid storing sensitive data on a mobile device whenever possible and follow cryptographic standards that will withstand the test of time. Using secure algorithms and avoiding insecure or deprecated algorithms is also crucial.
How to Prevent ?
To prevent Insufficient Cryptography, it is recommended to: avoid storing sensitive data on a mobile device, apply cryptographic standards that will withstand the test of time, follow NIST guidelines on recommended algorithms, avoid reliance upon built-in code encryption processes, implement proper key management processes, avoid the use of hardcoded keys within the binary, and use modern encryption algorithms accepted as strong by the security community. It is also important to prevent binary attacks that could lead to the exploitation of common libraries.
Example Attack Scenarios:
None: There are no specific example attack scenarios provided for Insufficient Cryptography.