MSTG-CRYPTO-1: Only symmetric cryptography? #513
Description
MSTG-CRYPTO-1 states:
The app does not rely on symmetric cryptography with hardcoded keys as a sole method of encryption.
I figure that they idea is, that when a symmetric key is hardcoded on the device, the attacker has access to it and can decrypt sensitive data.
When asymmetric cryptography is used, normally just the public key resides on the client side.
But technically the scenario, when data is asymmetrically encrpyted and the public and private key are hardcoded on the device, the impact would be the same as for symmetric cryptography but the test case would technically allow this broken scenario.
I would suggest to expand the requirement to:
The app does not rely on cryptography with hardcoded keys as a sole method of encryption.