Description

Create a new risk for "Weak Signature (MASVS-CRYPTO-1)" using the following information:

The use of weak signature such as SHA1withRSA, etc. in a security sensitive context should be avoided to ensure the integrity and authenticity of the data.

Create "risks/MASVS-CRYPTO/1-***-****/weak-signatures/risk.md" including the following content:

---
title: Weak Signature
alias: weak-signatures
platform: [android, ios]
profiles: [L1, L2]
mappings:
  masvs-v1: [MSTG-CRYPTO-4]
  masvs-v2: [MASVS-CRYPTO-1]
  mastg-v1: [MASTG-TEST-0014]

---

## Overview

## Impact

## Modes of Introduction

## Mitigations

To complete the sections follow the guidelines from Writing MASTG Risks & Tests

Use at least the following references:

• https://developer.android.com/privacy-and-security/cryptography#deprecated-functionality
• https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-131Ar2.pdf
• https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.186-5.pdf

MASTG v1 Refactoring:

If the risk has a MASVS v1 ID, you can use it to search for related tests in the MASTG and use them as input to define your risks and associated tests.

• MASTG-TEST-0014 - Testing the Configuration of Cryptographic Standard Algorithms (android)

Acceptance Criteria

• The risk has been created in the correct directory (risks/MASVS-CRYPTO/1-***-****/weak-signatures/risk.md)
• The risk content follows the guidelines
• At least one GitHub Issue has been created for the corresponding tests (derived from "Modes of Introduction")
• The risk indicates the related MASTG v1 tests in its metadata.