faizalshap
commented
1 year ago Hi @dilip90 we are already using sha-256 algo for generating the hash. please check if the warning is from any other module you are using? Thanks
Closed dilip90 closed 1 year ago
faizalshap
commented
1 year ago Hi @dilip90 we are already using sha-256 algo for generating the hash. please check if the warning is from any other module you are using? Thanks
Description: The mobile application uses weak hashing algorithms. Weak hashing algorithms (e.g. MD2, MD4, MD5 or SHA-1) can be vulnerable to collisions and other security weaknesses, and should not be used when reliable hashing of data is required. Example of insecure code: MessageDigest md = MessageDigest.getInstance("SHA-1"); Example of secure code: MessageDigest md = MessageDigest.getInstance("SHA-256"); Details: There is 'getInstance("SHA-1")' found in file 'c/b/d/k/c.java': [line 9: try {] [line 10: MessageDigest instance = MessageDigest.getInstance("SHA-1");] [line 11: instance.update(bArr, 0, bArr.length);] There is 'getInstance("SHA-1")' found in file 'com/appsflyer/internal/ae.java': [line 97: try {] [line 98: MessageDigest instance = MessageDigest.getInstance("SHA-1");] [line 99: instance.reset();] There is 'getInstance("MD5")' found in file 'com/RNFetchBlob/h.java': [line 52: try {] [line 53: MessageDigest instance = MessageDigest.getInstance("MD5");] [line 54: instance.update(str.getBytes());]
WEAK HASHING ALGORITHMS [M5] [CWE-916] [SAST] HIGH
There is 'getInstance("MD5")' found in file 'com/appsflyer/internal/ae.java': [line 57: try {] [line 58: MessageDigest instance = MessageDigest.getInstance("MD5");] [line 59: instance.reset();] CVSSv3 Base Score: 5.5 (AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N)