Insecure Data Storage

M8: Insufficient Cryptography is a category that covers various types of flaws that allow attackers to decrypt or crack the data or messages that are encrypted by mobile applications or their related systems or services. Encryption is the process of transforming or scrambling data or messages into a different form that is unreadable or meaningless to anyone who does not have the key or the password to decrypt or unscramble them. For example, when you use a messaging app to send or receive messages, you might want to encrypt them so that only you and the recipient can read them.

Insufficient cryptography can happen when mobile applications or their related systems or services do not use or implement encryption properly or securely. For example, some common flaws are:

No encryption: Some applications or systems or services do not use encryption at all to protect data or messages. They might store data in plain text or clear text, transmit data over unencrypted channels, share data with unencrypted services, etc. For example, an app that stores your notes might store them in plain text in a file on your device.
Weak encryption: Some applications or systems or services use encryption, but they use weak or outdated encryption algorithms (such as DES or MD5) or keys (such as 64-bit or 128-bit) that can be easily broken or cracked by attackers. For example, an app that encrypts your messages might use DES-64 to encrypt them with a fixed key.
Improper key management: Some applications or systems or services use encryption, but they do not manage the keys properly or securely. They might store keys in insecure locations on the device (such as shared preferences or caches), transmit keys over insecure channels (such as HTTP or SMS), share keys with untrusted parties (such as third-party services), hardcode keys in the code, reuse keys for different purposes, etc. For example, an app that encrypts your messages might store the key in a shared preference on your device.
Cryptographic errors: Some applications or systems or services use encryption, but they make errors or mistakes in the implementation or usage of encryption. They might use incorrect modes of operation (such as ECB instead of CBC), incorrect padding schemes (such as PKCS#5 instead of PKCS#7), incorrect initialization vectors (such as fixed IVs instead of random IVs), incorrect encoding schemes (such as Base64 instead of Hex), etc. For example, an app that encrypts your messages might use AES-CBC with a fixed IV and Base64 encoding.

These flaws can lead to serious consequences, such as data breach, data tampering, data injection, code execution, etc. Therefore, it is very important for mobile applications and their related systems and services to implement and enforce sufficient cryptography mechanisms, such as:

Encryption: Applications and systems and services should use encryption to protect data or messages. They should use secure and up-to-date encryption algorithms (such as AES or SHA) and keys (such as 256-bit or 512-bit). For example, an app that stores your notes should encrypt them using AES-256 and store them in a secure database on your device.
Key management: Applications and systems and services should manage the keys properly and securely. They should store keys in secure locations on the device (such as keychain or keystore), transmit keys over secure channels (such as HTTPS or TLS), share keys with trusted parties (such as official websites or app stores), generate keys dynamically and randomly, use different keys for different purposes, etc. For example, an app that encrypts your messages should generate a random key for each message and store it in a keychain on your device.
Cryptographic practices: Applications and systems and services should follow cryptographic best practices to avoid errors or mistakes in the implementation or usage of encryption. They should use correct modes of operation (such as CBC instead of ECB), correct padding schemes (such as PKCS#7 instead of PKCS#5), correct initialization vectors (such as random IVs instead of fixed IVs), correct encoding schemes (such as Hex instead of Base64), etc. For example, an app that encrypts your messages should use AES-CBC with a random IV and Hex encoding.

I hope this explanation helps you understand what M8: Insufficient Cryptography is and why it is important. If you want to learn more about this category and how to prevent it, you can check out these resources:

[M8-Insufficient Cryptography | OWASP Foundation]: The official website of the OWASP Mobile Top 10 project. It contains detailed information about this category and links to other useful resources.
[Mobile App Security: How To Secure Your Mobile App Cryptography]: A blog post that provides an overview of the best practices for mobile app cryptography.
[Mobile App Security Testing | Cybrary]: A course that teaches you how to test and secure mobile applications against various security risks.

PreviousInsufficient Cryptography NextInsufficient Binary Protections

Last updated 1 year ago

Insecure Data Storage

Insufficient cryptography can happen when mobile applications or their related systems or services do not use or implement encryption properly or securely. For example, some common flaws are:

No encryption: Some applications or systems or services do not use encryption at all to protect data or messages. They might store data in plain text or clear text, transmit data over unencrypted channels, share data with unencrypted services, etc. For example, an app that stores your notes might store them in plain text in a file on your device.
Weak encryption: Some applications or systems or services use encryption, but they use weak or outdated encryption algorithms (such as DES or MD5) or keys (such as 64-bit or 128-bit) that can be easily broken or cracked by attackers. For example, an app that encrypts your messages might use DES-64 to encrypt them with a fixed key.
Improper key management: Some applications or systems or services use encryption, but they do not manage the keys properly or securely. They might store keys in insecure locations on the device (such as shared preferences or caches), transmit keys over insecure channels (such as HTTP or SMS), share keys with untrusted parties (such as third-party services), hardcode keys in the code, reuse keys for different purposes, etc. For example, an app that encrypts your messages might store the key in a shared preference on your device.
Cryptographic errors: Some applications or systems or services use encryption, but they make errors or mistakes in the implementation or usage of encryption. They might use incorrect modes of operation (such as ECB instead of CBC), incorrect padding schemes (such as PKCS#5 instead of PKCS#7), incorrect initialization vectors (such as fixed IVs instead of random IVs), incorrect encoding schemes (such as Base64 instead of Hex), etc. For example, an app that encrypts your messages might use AES-CBC with a fixed IV and Base64 encoding.

Encryption: Applications and systems and services should use encryption to protect data or messages. They should use secure and up-to-date encryption algorithms (such as AES or SHA) and keys (such as 256-bit or 512-bit). For example, an app that stores your notes should encrypt them using AES-256 and store them in a secure database on your device.
Key management: Applications and systems and services should manage the keys properly and securely. They should store keys in secure locations on the device (such as keychain or keystore), transmit keys over secure channels (such as HTTPS or TLS), share keys with trusted parties (such as official websites or app stores), generate keys dynamically and randomly, use different keys for different purposes, etc. For example, an app that encrypts your messages should generate a random key for each message and store it in a keychain on your device.
Cryptographic practices: Applications and systems and services should follow cryptographic best practices to avoid errors or mistakes in the implementation or usage of encryption. They should use correct modes of operation (such as CBC instead of ECB), correct padding schemes (such as PKCS#7 instead of PKCS#5), correct initialization vectors (such as random IVs instead of fixed IVs), correct encoding schemes (such as Hex instead of Base64), etc. For example, an app that encrypts your messages should use AES-CBC with a random IV and Hex encoding.

[M8-Insufficient Cryptography | OWASP Foundation]: The official website of the OWASP Mobile Top 10 project. It contains detailed information about this category and links to other useful resources.
[Mobile App Security: How To Secure Your Mobile App Cryptography]: A blog post that provides an overview of the best practices for mobile app cryptography.
[Mobile App Security Testing | Cybrary]: A course that teaches you how to test and secure mobile applications against various security risks.

PreviousInsufficient Cryptography NextInsufficient Binary Protections

Last updated 1 year ago