DerScanner
Home / Vulnerability Database / Swift : Empty HMAC key
Swift

Swift : Empty HMAC key

Classification

OWASP Mobile Top 10 2014
M6-Broken Cryptography
OWASP Mobile Top 10 2016
M5-Insufficient Cryptography
OWASP MASVS
V3: 3.3.(L1/L2/L1+R/L2+R)V8: 8.13.(L1+R/L2+R)
OWASP ASVS
Stored Cryptography
PCI DSS 4.0
3.6.16.2.48.3.2
HIPAA
§164.312 (a)(2)(iv)
CWE
CWE-321

Overview

Empty HMAC key can compromise the application.

It is very difficult to eliminate the security risks related to hardcoded empty keys. The fact that some data is encrypted with an empty key is at least known to every application developer. Moreover, after the application is installed, the empty key can be removed from the code only via an update. Constant strings are easily extracted from the compiled application by decompilers. Therefore, an attacker does not necessarily need to have an access to the source code to learn about the encryption with an empty key.

Insufficient Cryptography vulnerabilities take the fifth place in the “OWASP Top 10 2016” mobile application vulnerabilities ranking.

References

  1. OWASP: Use of hard-coded cryptographic key
  2. CWE-321: Use of Hard-coded Cryptographic Key
  3. Mobile Top 10 2014-M6-Broken Cryptography
  4. OWASP Top 10 2013-A5-Security Misconfiguration
  5. OWASP Top 10 2013-A6-Sensitive Data Exposure
  6. Mobile Top 10 2016-M5-Insufficient Cryptography
CRITICAL

DerScanner Severity Score

Do you want to fix Swift : Empty HMAC key in your application?

See also

Swift

Swift : Nill password

Swift

Swift : Hardcoded salt

Swift

Swift : Undocumented feature: special account