Swift : Hardcoded HMAC key
Classification
Overview
HMAC key is hardcoded. This may lead to an application data compromise.
In cryptography, a keyed-hash message authentication code (HMAC) is a specific type of message authentication code (MAC) involving a cryptographic hash function in combination with a secret cryptographic key.
The cryptographic strength of the HMAC depends upon the cryptographic strength of the underlying hash function, the size of its hash output, and on the size and quality of the key.
Eliminating security risks related to hardcoded passwords or keys is extremely difficult. This data is available at least to every developer of the application. Moreover, after the application is installed, removing password or key from its code is possible only via an update. Constant strings are easily extracted from the compiled application by decompilers. Therefore, an attacker does not necessarily need to have an access to the source code to find out the value of the key.
Insufficient Cryptography vulnerabilities take the fifth place in the “OWASP Top 10 2016” mobile application vulnerabilities ranking.
References
- Use of hard-coded password
- CWE-321: Use of Hard-coded Cryptographic Key
- Mobile Top 10 2014-M6-Broken Cryptography
- OWASP Top 10 2013-A5-Security Misconfiguration
- OWASP Top 10 2013-A6-Sensitive Data Exposure
- RNCryptor README - github.com
- Mobile Top 10 2016-M5-Insufficient Cryptography
- CWE-798: Use of Hard-coded Credentials