Swift : Empty HMAC key
Classification
OWASP Mobile Top 10 2014 M6-Broken Cryptography OWASP Mobile Top 10 2016 M5-Insufficient Cryptography OWASP MASVS V3: 3.3.(L1/L2/L1+R/L2+R) V8: 8.13.(L1+R/L2+R) OWASP ASVS Stored Cryptography PCI DSS 4.0 3.6.1 6.2.4 8.3.2 HIPAA §164.312 (a)(2)(iv) CWE CWE-321Overview
Empty HMAC key can compromise the application.
It is very difficult to eliminate the security risks related to hardcoded empty keys. The fact that some data is encrypted with an empty key is at least known to every application developer. Moreover, after the application is installed, the empty key can be removed from the code only via an update. Constant strings are easily extracted from the compiled application by decompilers. Therefore, an attacker does not necessarily need to have an access to the source code to learn about the encryption with an empty key.
Insufficient Cryptography vulnerabilities take the fifth place in the “OWASP Top 10 2016” mobile application vulnerabilities ranking.