Port MASTG-TEST-0013 (by @guardsquare)

tests-beta/android/MASVS-CRYPTO/MASTG-TEST-0212.md

@@ -12,12 +12,12 @@ In this test case, we will look for the use of hardcoded keys in Android applica
 
 ## Steps
 
-1. Run a static analysis tool such as @MASTG-TOOL-0110 on the code and look for uses of the hardcoded cryptographic keys.
+1. Use either @MASTG-TECH-0014 with a tool such as @MASTG-TOOL-0110 or @MASTG-TECH-0033 (dynamic analysis) with a tool like @MASTG-TOOL-0001 to identify all the instances of symmetric key encryption in code and look for uses of the hardcoded cryptographic keys.
 
 ## Observation
 
 The output should contain a list of locations where hardcoded keys are used.
 
 ## Evaluation
 
-The test case fails if you find any hardcoded keys.
+The test case fails if you find any hardcoded keys that are used in security-sensitive contexts.

tests-beta/android/MASVS-CRYPTO/MASTG-TEST-0221.md

@@ -0,0 +1,27 @@
+---
+title: Weak Encryption Algorithms
+platform: android
+id: MASTG-TEST-0221
+type: [static, dynamic]
+weakness: MASWE-0020
+---
+
+## Overview
+
+To test for the [use of weak encryption algorithms](../../../Document/0x04g-Testing-Cryptography.md#identifying-insecure-andor-deprecated-cryptographic-algorithms) in Android apps, we need to focus on methods from cryptographic frameworks and libraries that are used to perform encryption and decryption operations.
+
+- [`Cipher.getInstance`](https://developer.android.com/reference/javax/crypto/Cipher#getInstance(java.lang.String)): Initializes a Cipher object for encryption or decryption. The `algorithm` parameter can be one of the [supported algorithms](https://docs.oracle.com/javase/8/docs/technotes/guides/security/StandardNames.html#Cipher).
+- [`SecretKeyFactory.getInstance`](https://developer.android.com/reference/javax/crypto/SecretKeyFactory#getInstance(java.lang.String)): Returns a SecretKeyFactory object that converts keys into key specifications and vice versa. The `algorithm` parameter can be one of the [supported algorithms](https://docs.oracle.com/javase/8/docs/technotes/guides/security/StandardNames.html#SecretKeyFactory).
+- [`KeyGenerator.getInstance`](https://developer.android.com/reference/javax/crypto/KeyGenerator#getInstance(java.lang.String)): Returns a `KeyGenerator` object that generates secret keys for symmetric algorithms. The `algorithm` parameter can be one of the [supported algorithms](https://docs.oracle.com/javase/8/docs/technotes/guides/security/StandardNames.html#KeyGenerator).
+
+## Steps
+
+1. Run @MASTG-TECH-0014 with a tool such as @MASTG-TOOL-0110 on the app binary, or use @MASTG-TECH-0033 (dynamic analysis) with a tool like @MASTG-TOOL-0001, and look for uses of the cryptographic functions that perform encryption and decryption operations.
+
+## Observation
+
+The output should contain a list of locations where insecure symmetric encryption algorithms are used.
+
+## Evaluation
+
+The test case fails if you can find [insecure or deprecated](../../../Document/0x04g-Testing-Cryptography.md#Identifying-Insecure-and/or-Deprecated-Cryptographic-Algorithms) encryption algorithms being used.

tests/android/MASVS-CRYPTO/MASTG-TEST-0013.md

@@ -8,6 +8,9 @@ title: Testing Symmetric Cryptography
 masvs_v1_levels:
 - L1
 - L2
+status: deprecated
+covered_by: ['MASTG-TEST-0212', 'MASTG-TEST-0221']
+deprecation_reason: New version available in MASTG V2
 ---
 
 ## Overview