Closed sdog-mitre closed 7 years ago
Existing threat APP-10: Poorly implemented cryptography in mobile apps (e.g., hardcoded cryptographic keys, use of insecure cryptographic algorithms) appears to cover this threat. Countermeasures in APP-10 will be enhanced to include references to specific external resources that contain guidance on the secure handling of cryptographic keys by mobile apps.
On behalf of Prashanth Thandavamurthy of Arxan Technologies, Inc.
New Threat
Threat Category: Application: Vulnerable Application
Threat: Discovering the cryptographic keys in the code or device memory and lifting it for malicious purpose.
Threat Origin: None
Exploit Example:
https://www.blackhat.com/docs/eu-15/materials/eu-15-Sanfelix-Unboxing-The-White-Box-Practical-Attacks-Against-Obfuscated-Ciphers-wp.pdf
http://www.whiteboxcrypto.com/files/2012_misc.pdf
CVE Example: None
Possible Countermeasures:
References: None