DerScanner
Home / Vulnerability Database / Objective-C : Empty encryption key
Objective-C

Objective-C : Empty encryption key

Classification

OWASP Mobile Top 10 2014
M6-Broken Cryptography
OWASP Mobile Top 10 2016
M5-Insufficient Cryptography
OWASP MASVS
V3: 3.3.(L1/L2/L1+R/L2+R)V8: 8.13.(L1+R/L2+R)
OWASP ASVS
Stored Cryptography
PCI DSS 4.0
3.6.16.2.48.3.2
HIPAA
§164.312 (a)(2)(iv)
CWE
CWE-321

Overview

Empty encryption key can compromise the application.

It is very difficult to eliminate the security risks related to hardcoded empty keys. The fact that some data is encrypted with an empty key is at least known to every application developer. Moreover, after the application is installed, the empty key can be removed from the code only via an update. Constant strings are easily extracted from the compiled application by decompilers. Therefore, an attacker does not necessarily need to have an access to the source code to learn about the encryption with an empty key.

Insufficient Cryptography vulnerabilities take the fifth place in the “OWASP Top 10 2016” mobile application vulnerabilities ranking.

References

  1. OWASP: Use of hard-coded cryptographic key
  2. CWE-321: Use of Hard-coded Cryptographic Key
  3. Mobile Top 10 2014-M6-Broken Cryptography
  4. OWASP Top 10 2013-A5-Security Misconfiguration
  5. OWASP Top 10 2013-A6-Sensitive Data Exposure
  6. Mobile Top 10 2016-M5-Insufficient Cryptography
CRITICAL

DerScanner Severity Score

Do you want to fix Objective-C : Empty encryption key in your application?

See also

Objective-C

Objective-C : Internal information leak

Objective-C

Objective-C : Weak hashing algorithm

Objective-C

Objective-C : Unsafe reflection