Our dynamic app security scan provider, Data Theorem, identified that
[GMS uses] the CC_MD hashing functions, which leverage hashing algorithms (including MD2 and MD5) that are proven to be vulnerable to collision attacks, and are unsuitable for modern use.
Apple has officially deprecated these APIs in the iOS 13.0 SDK. They state in the CommonCrypto headers:
"These functions are cryptographically broken and should not be used in security contexts. Clients should migrate to SHA256 (or stronger)."
If CC_MD hashing functions are used in a security context, are there plans to update the SDK with use of stronger algorithms with better collision resistance properties, such as SHA-256 or SHA-512?
If CC_MD is not being used in a security context, can you confirm so?
If you would like to upvote the priority of this issue, please comment below or react on the original post above with :+1: so we can see what is popular when we triage.
@andrewdhan Thank you for opening this issue. 🙏
Please check out these other resources that might help you get to a resolution in the meantime:
Environment details
Our dynamic app security scan provider, Data Theorem, identified that
If CC_MD hashing functions are used in a security context, are there plans to update the SDK with use of stronger algorithms with better collision resistance properties, such as SHA-256 or SHA-512?
If CC_MD is not being used in a security context, can you confirm so?
Thank you!
Stack trace