Insufficient Cryptography is common in most systems that leverage encryption whether it is a mobile, desktop, or even firmware. There are two fundamental ways that broken cryptography is manifested within apps, The first depends on processes used to encrypt and decrypt, and the second depends on the encryption and decryption algorithm. which both result in the unauthorized retrieval of sensitive information from the system.
The severity of this issue is highly dependent on the system and exploitation method.
An attacker could try to find Insufficient Cryptography using the following methods:
- finding a process behind the encryption/decryption that is fundamentally flawed and can be exploited.
- if the encryption/decryption algorithm is weak in nature, the attacker will be able to decrypt it.
It is best to do the following when handling sensitive data:
- Avoid the storage of any sensitive data on a the system where possible.
- Apply cryptographic standards that will withstand the test of time for at least 10 years into the future.
- Follow the NIST guidlines on recommended algorithms