78 lines
2.5 KiB
Plaintext
78 lines
2.5 KiB
Plaintext
include::../../../shared_content/secrets/description.adoc[]
|
|
|
|
== Why is this an issue?
|
|
|
|
include::../../../shared_content/secrets/rationale.adoc[]
|
|
|
|
=== What is the potential impact?
|
|
|
|
include::../../../shared_content/secrets/impact/private_key_disclosure.adoc[]
|
|
|
|
include::../../../shared_content/secrets/impact/supply_chain_attack.adoc[]
|
|
|
|
If a third party gets access to a keystore containingan Android upload key or app signing key, this person could sign and distribute malicious apps under the same identity as the original app.
|
|
|
|
== How to fix it
|
|
|
|
include::../../../shared_content/secrets/fix/store_separatly.adoc[]
|
|
|
|
include::../../../shared_content/secrets/fix/revoke.adoc[]
|
|
|
|
In most cases, if the key is used as part of a larger trust model (X509, PGP,
|
|
etc), it is necessary to issue and publish a revocation certificate. Doing so
|
|
will ensure that all people and assets that rely on this key for security
|
|
operations are aware of its compromise and stop trusting it.
|
|
|
|
include::../../../shared_content/secrets/fix/recent_use.adoc[]
|
|
|
|
include::../../../shared_content/secrets/fix/vault.adoc[]
|
|
|
|
=== Code examples
|
|
|
|
==== Noncompliant code example
|
|
|
|
[source,shell,diff-id=1,diff-type=noncompliant]
|
|
----
|
|
keytool -genkey \
|
|
-keystore release.jks \
|
|
-alias release \
|
|
-keyalg RSA \
|
|
-keysize 2048 \
|
|
-validity 1000 \
|
|
-dname "CN=com.example" \
|
|
-storepass release # Noncompliant, keystore password is easy to guess
|
|
----
|
|
|
|
==== Compliant solution
|
|
|
|
Keychain files whould created using a strong password.
|
|
|
|
[source,shell,diff-id=1,diff-type=compliant]
|
|
----
|
|
echo $STRONG_PWD | keytool -genkey \
|
|
-keystore release.jks \
|
|
-alias release \
|
|
-keyalg RSA \
|
|
-keysize 2048 \
|
|
-validity 1000 \
|
|
-dname "CN=com.example"
|
|
----
|
|
|
|
Files containing cryptographic key should not be commitied with the application codebase and should be distributed separatly.
|
|
|
|
//=== How does this work?
|
|
|
|
//=== Pitfalls
|
|
|
|
//=== Going the extra mile
|
|
|
|
== Resources
|
|
|
|
include::../../../shared_content/secrets/resources/standards.adoc[]
|
|
|
|
* OWASP - https://owasp.org/www-project-mobile-top-10/2023-risks/m1-improper-credential-usage[Mobile Top 10 2024 Category M1 - Improper Credential Usage]
|
|
* OWASP - https://owasp.org/www-project-mobile-top-10/2023-risks/m2-inadequate-supply-chain-security[Mobile Top 10 2024 Category M2 - Inadequate Supply Chain Security]
|
|
* OWASP - https://owasp.org/www-project-mobile-top-10/2023-risks/m10-insufficient-cryptography[Mobile Top 10 2024 Category M10 - Insufficient Cryptography]
|
|
|
|
//=== Benchmarks
|