Ports MASTG-TEST-0014 (by @guardsquare)

tests-beta/android/MASVS-CRYPTO/MASTG-TEST-0x14-21.md

@@ -0,0 +1,28 @@
+---
+platform: android
+title: Weak Hashing Algorithms
+id: MASTG-TEST-0x14-1
+type: [static, dynamic]
+weakness: MASWE-0021
+---
+
+## Overview
+
+When apps need to use hashing in security sensitive scenarios, it is important to not use [insecure or deprecated](../../../Document/0x04g-Testing-Cryptography.md#Identifying-Insecure-and/or-Deprecated-Cryptographic-Algorithms) algorithms.
+
+## Steps
+
+1. Run @MASTG-TECH-0014 with a tool such as @MASTG-TOOL-0110 on the app binary, or use @MASTG-TECH-0033 (dynamic analysis) with a tool like @MASTG-TOOL-0001, and identify all the uses of hash related APIs, such as [`MessageDigest.getInstance`](https://developer.android.com/reference/java/security/MessageDigest#getInstance(java.lang.String)), and the algorithm being used.
+
+## Observation
+
+The output should contain a list of locations where hashing is being used and the respective algorithms.
+
+## Evaluation
+
+The test case fails if you can find [insecure or deprecated](../../../Document/0x04g-Testing-Cryptography.md#Identifying-Insecure-and/or-Deprecated-Cryptographic-Algorithms) hashing algorithms being used in a security sensitive scenario.
+
+## References
+
+- [NIST - Hash Functions - Approved Algorithms](https://csrc.nist.gov/projects/hash-functions)
+- [Testing Cryptography](../../../Document/0x04g-Testing-Cryptography.md)

tests-beta/android/MASVS-CRYPTO/MASTG-TEST-0x14-22-1.md

@@ -0,0 +1,31 @@
+---
+platform: android
+title: Hardcoded Initialization Vectors
+id: MASTG-TEST-0x14-22-2
+type: [static, dynamic]
+weakness: MASWE-0022
+---
+
+## Overview
+
+Several block cipher modes require an [initialization vector (`IV`)](../../../Document/0x04g-Testing-Cryptography.md#Predictable-Initialization-Vector) as one of the initial input to the cipher.
+In general, the `IV` does not have to be kept secret, but it should not be reused or predictable.
+
+**Hardcoded initialization vectors** are the worst scenario and allow an attacker to easily defeat the purpose for which the encryption is being used.
+
+## Steps
+
+1. Run @MASTG-TECH-0014 with a tool such as @MASTG-TOOL-0110 on the app binary, or use @MASTG-TECH-0033 (dynamic analysis) with a tool like @MASTG-TOOL-0001, and identify all uses of classes implementing [AlgorithmParameterSpec](https://developer.android.com/reference/java/security/spec/AlgorithmParameterSpec), such as [IvParameterSpec](https://developer.android.com/reference/javax/crypto/spec/IvParameterSpec), [GCMParameterSpec](https://developer.android.com/reference/javax/crypto/spec/GCMParameterSpec), etc.
+1. Track all the posterior uses of the identified objects.
+
+## Observation
+
+The output should contain a list of locations where `AlgorithmParameterSpec` objects were created and used.
+
+## Evaluation
+
+The test case fails if you can find `AlgorithmParameterSpec` objects being created with hardcoded data and then used to initialize a `Cipher`.
+
+## References
+
+- [Testing Cryptography](../../../Document/0x04g-Testing-Cryptography.md)

tests-beta/android/MASVS-CRYPTO/MASTG-TEST-0x14-22-2.md

@@ -0,0 +1,34 @@
+---
+platform: android
+title: Reused Initialization Vectors
+id: MASTG-TEST-0x14-22-1
+type: [static, dynamic]
+weakness: MASWE-0022
+---
+
+## Overview
+
+Several block cipher modes require an [initialization vector (IV)](../../../Document/0x04g-Testing-Cryptography.md#Predictable-Initialization-Vector) as one of the initial input to the cipher.
+In general, the IV does not have to be kept secret, but it should not be reused or predictable.
+
+Reusing initialization vectors allow the attacker to recover the original message and in the case of some modes (e.g., `GCM`) allow [tampering with the encrypted messages](https://asecuritysite.com/golang/go_reuseiv).
+
+## Steps
+
+1. Run @MASTG-TECH-0014 with a tool such as @MASTG-TOOL-0110 on the app binary, or use @MASTG-TECH-0033 (dynamic analysis) with a tool like @MASTG-TOOL-0001, and identify all uses of classes implementing [AlgorithmParameterSpec](https://developer.android.com/reference/java/security/spec/AlgorithmParameterSpec), such as [IvParameterSpec](https://developer.android.com/reference/javax/crypto/spec/IvParameterSpec), [GCMParameterSpec](https://developer.android.com/reference/javax/crypto/spec/GCMParameterSpec), etc.
+1. Track all the posterior uses of the identified objects.
+
+## Observation
+
+The output should contain a list of locations where `AlgorithmParameterSpec` objects were created and used.
+
+## Evaluation
+
+The test case fails if you observe at least one of the following:
+
+- you can find the multiple `AlgorithmParameterSpec` objects created with the same data, and each then used to initialize its `Cipher`.
+- you can find the same `AlgorithmParameterSpec` object used to initialize multiple `Cipher`s.
+
+## References
+
+- [Testing Cryptography](../../../Document/0x04g-Testing-Cryptography.md)

tests-beta/android/MASVS-CRYPTO/MASTG-TEST-0x14-22-3.md

@@ -0,0 +1,31 @@
+---
+platform: android
+title: Predictable Initialization Vectors
+id: MASTG-TEST-0x14-22-3
+type: [static, dynamic]
+weakness: MASWE-0022
+---
+
+## Overview
+
+Several block cipher modes require an [initialization vector (IV)](../../../Document/0x04g-Testing-Cryptography.md#Predictable-Initialization-Vector) as one of the initial input to the cipher.
+In general, the IV does not have to be kept secret, but it should not be reused or predictable.
+
+Predictable initialization vectors can allow the attackers to conduct [chosen plaintext attack](https://crypto.stackexchange.com/a/18401), and therefore should be avoided in security sensitive scenarios.
+
+## Steps
+
+1. Run @MASTG-TECH-0014 with a tool such as @MASTG-TOOL-0110 on the app binary, or use @MASTG-TECH-0033 (dynamic analysis) with a tool like @MASTG-TOOL-0001, and identify all uses of classes implementing [AlgorithmParameterSpec](https://developer.android.com/reference/java/security/spec/AlgorithmParameterSpec), such as [IvParameterSpec](https://developer.android.com/reference/javax/crypto/spec/IvParameterSpec), [GCMParameterSpec](https://developer.android.com/reference/javax/crypto/spec/GCMParameterSpec), etc.
+1. Track all the posterior uses of the identified objects.
+
+## Observation
+
+The output should contain a list of locations where `AlgorithmParameterSpec` objects were created and used.
+
+## Evaluation
+
+The test case fails if you can find `AlgorithmParameterSpec` objects being created with weak or deterministic random generator and then used to initialize a `Cipher` that is used in a security sensitive scenario.
+
+## References
+
+- [Testing Cryptography](../../../Document/0x04g-Testing-Cryptography.md)

tests-beta/android/MASVS-CRYPTO/MASTG-TEST-0x14-23.md

@@ -0,0 +1,40 @@
+---
+platform: android
+title: Weak Padding
+id: MASTG-TEST-0x14-23
+type: [static, dynamic]
+weakness: MASWE-0023
+---
+
+## Overview
+
+The cipher padding used in a security sensitive context should be carefully selected, otherwise it can be used to compromise the confidentiality, integrity and authenticity of the encrypted data.
+
+In the case of symmetric block ciphers, a secure padding scheme is used to prevent that the last block is not filled data that could be exploited by the adversary.
+In the case of asymmetric encryption (e.g., `RSA`), padding scheme is required to prevent deterministic encryption, i.e., that a specific plaintext always results in the same ciphertext.
+
+Check the [documentation on attacks against padding](../../../Document/0x04g-Testing-Cryptography.md#Padding-Oracle-Attacks-due-to-Weaker-Padding-or-Block-Operation-Implementations) for more complete examples.
+
+There are exceptions to this, as is the case of the [android recommended cipher](https://developer.android.com/privacy-and-security/cryptography#choose-algorithm) `AES/GCM/NoPadding`, in which `GCM` mode uses part of the authentication tag as padding for the blocks.
+
+## Steps
+
+1. Run @MASTG-TECH-0014 with a tool such as @MASTG-TOOL-0110 on the app binary, or use @MASTG-TECH-0033 (dynamic analysis) with a tool like @MASTG-TOOL-0001, and identify all the uses of encryption related APIs, such as [`Cipher.getInstance`](https://developer.android.com/reference/javax/crypto/Cipher#getInstance(java.lang.String)), and the first argument (`transformation`) being used.
+
+## Observation
+
+The output should contain a list of locations where a `Cipher` is being created and the text of the respective `transformation`.
+
+## Evaluation
+
+The test case fails if you can find at least one `Cipher` defined with a `transformation` whose [padding scheme is not adequate](../../../Document/0x04g-Testing-Cryptography.md#Identifying-Insecure-and/or-Deprecated-Cryptographic-Algorithms) to the algorithm and mode, and such `Cipher` is used in a security sensitive context.
+
+- If you are using `RSA` algorithm, you are required to use `OAEPPadding` (or one of its versions);
+- Otherwise, weak padding such as NoPadding, ZeroPadding, etc. should be avoided unless you are sure that is secure for that specific combination (e.g., as is the case for `AES/GCM/NoPadding`).
+
+Check the documentation for [specific recommendation on padding schemes to use](../../../Document/0x04g-Testing-Cryptography.md#Identifying-Insecure-and/or-Deprecated-Cryptographic-Algorithms).
+
+## References
+
+- [Testing Cryptography](../../../Document/0x04g-Testing-Cryptography.md)
+- [Cryptographic Mechanisms: Recommendations and Key Lengths](https://www.bsi.bund.de/SharedDocs/Downloads/EN/BSI/Publications/TechGuidelines/TG02102/BSI-TR-02102-1.pdf?__blob=publicationFile)

tests/android/MASVS-CRYPTO/MASTG-TEST-0014.md

@@ -10,6 +10,9 @@ title: Testing the Configuration of Cryptographic Standard Algorithms
 masvs_v1_levels:
 - L1
 - L2
+status: deprecated
+covered_by: ['MASTG-TEST-0x14-21', 'MASTG-TEST-0x14-22', 'MASTG-TEST-0x14-23', 'MASTG-TEST-0x14-24', 'MASTG-TEST-0x14-25', 'MASTG-TEST-0x14-26']
+deprecation_reason: New version available in MASTG V2
 ---
 
 ## Overview