Swift : Empty HMAC key

Classification

OWASP Mobile Top 10 2014 M6-Broken Cryptography OWASP Mobile Top 10 2016 M5-Insufficient Cryptography OWASP MASVS V3: 3.3.(L1/L2/L1+R/L2+R) V8: 8.13.(L1+R/L2+R) OWASP ASVS Stored Cryptography PCI DSS 4.0 3.6.1 6.2.4 8.3.2 HIPAA §164.312 (a)(2)(iv) CWE CWE-321

Overview

Empty HMAC key can compromise the application.

It is very difficult to eliminate the security risks related to hardcoded empty keys. The fact that some data is encrypted with an empty key is at least known to every application developer. Moreover, after the application is installed, the empty key can be removed from the code only via an update. Constant strings are easily extracted from the compiled application by decompilers. Therefore, an attacker does not necessarily need to have an access to the source code to learn about the encryption with an empty key.

Insufficient Cryptography vulnerabilities take the fifth place in the “OWASP Top 10 2016” mobile application vulnerabilities ranking.

References

  1. OWASP: Use of hard-coded cryptographic key
  2. CWE-321: Use of Hard-coded Cryptographic Key
  3. Mobile Top 10 2014-M6-Broken Cryptography
  4. OWASP Top 10 2013-A5-Security Misconfiguration
  5. OWASP Top 10 2013-A6-Sensitive Data Exposure
  6. Mobile Top 10 2016-M5-Insufficient Cryptography