search

RonRadtke / react-native-blob-util

A project committed to making file access and data transfer easier, efficient for React Native developers.
MIT License
747 stars 128 forks source link

[iOS] Usage of insecure cryptography algorithms #146

Open midhunm-c opened 2 years ago

midhunm-c commented 2 years ago

Hi @RonRadtke ,

Our application has gone through Whitehat security scan and reported the usage of insecure cryptography as mentioned below:

While the app is running on a physical device, CommonCrypto API requests are examined to detect usage of insecure encryption algorithms, encryption modes, hashing algorithms or insufficient key derivation rounds. CC_MD5, CC_SHA1 Description The application was found to use weak cryptographic algorithms while exercising the app. These outdated algorithms are often in violation of common compliance standards and can be vulnerable to publicly-disclosed and non-public attacks. In cases of weak cryptographic methods being used in an app, an attacker may be able to break the confidentiality and integrity of app data.

Since the application is not directly using any kind of encryption, I have gone through dependencies and found in file ReactNativeBlobUtilFS

react-native-blob-util/ios/ReactNativeBlobUtilFS.m

hash method is using CC_MD5 and CC_SHA1 API's.

and their recommendation is not to use weak algorithms

Recommendation Do not use weak cryptographic algorithms to protect information and processes such as RC4, DES, DES3, MD5, SHA1, MD4, ECB, & CBC as well as algorithms discussed here. For guidance on best practices in picking strong cryptography, please see OWASP's Cryptographic Storage Cheat_Sheet. Details and code snippets can be found at https://developer.apple.com/documentation/uikit/protecting_the_user_s_privacy/encrypting_your_app_s_files.

Could you please have a look into this?

midhunm-c commented 2 years ago

@adnanal-hrbl @faizr - tagging you guys also.

RonRadtke commented 2 years ago

The hashes are not used for encrypting but only for getting the hash of a file, e.g. to check for integrity. So there shouldn't be any issues here unless you're using the hash to "encrypt" your file so it's not readable anymore.

Brune04 commented 1 year ago

Is there an update on this? I'm having this same issue.

RonRadtke commented 1 year ago

@Brune04 yep, still the same. MD5 und SHA1 are valid for a hash sum of a file to check it's integraty. Since it is still very hard to match the MD5 of an existing file (we're talking about collision attacks here) I don't see any reason to force repalce these alorithms. Especially since they are sill very common for file integraty checks.