Google Maps: App Security issues found in GMS for iOS

[andrewdhan]

Environment details

1. Google Maps
2. iOS
3. Maps version 8.2.0

Our dynamic app security scan provider, Data Theorem, identified that

[GMS uses] the CC_MD hashing functions, which leverage hashing algorithms (including MD2 and MD5) that are proven to be vulnerable to collision attacks, and are unsuitable for modern use.

Apple has officially deprecated these APIs in the iOS 13.0 SDK. They state in the CommonCrypto headers:

"These functions are cryptographically broken and should not be used in security contexts. Clients should migrate to SHA256 (or stronger)."

If CC_MD hashing functions are used in a security context, are there plans to update the SDK with use of stronger algorithms with better collision resistance properties, such as SHA-256 or SHA-512?

If CC_MD is not being used in a security context, can you confirm so?

Thank you!

Stack trace

-[GMSx_GNSStreamProviderImpl outputStreamToBuffer:capacity:]
-[GMSx_GNSStreamProviderImpl outputStreamToMemory]
-[GMSx_CCTClearcutCounters initWithClock:]

-[GMSx_CCTClearcutLogEvent initWithLogSource:isAnonymous:clock:]
-[GMSx_CCTClearcutLogEvent initWithLogSource:isAnonymous:]
-[GMSx_CCTClearcutLogEvent initWithLogSource:]
@"%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x"

-[GMSx_PHTSnapshot emptyConfiguration:]
-[GMSx_PHTSnapshot isValidFlagsHashInSnapshot:]
-[GMSx_PHTURL sharedDirectoryWithError:]
-[_OBJC_CLASS_$_NSMutableArray init]

-[GMSx_PHTSnapshot emptyConfiguration:]
-[GMSx_PHTSnapshot isValidFlagsHashInSnapshot:]
-[GMSx_PHTURL sharedDirectoryWithError:]
-[_OBJC_CLASS_$_NSMutableArray init]

-[GMSx_PHTSnapshot emptyConfiguration:]
-[GMSx_PHTSnapshot isValidFlagsHashInSnapshot:]
-[GMSx_PHTURL sharedDirectoryWithError:]
-[_OBJC_CLASS_$_NSMutableArray init]

[wangela]

If you would like to upvote the priority of this issue, please comment below or react on the original post above with :+1: so we can see what is popular when we triage.

@andrewdhan Thank you for opening this issue. 🙏 Please check out these other resources that might help you get to a resolution in the meantime:

• Check the issue tracker - bugs and feature requests for Google Maps Platform APIs and SDKs
• Open a support case - Get 1:1 support in Cloud Console.
• Discord - chat with other developers
• StackOverflow - use the google-maps tag

This is an automated message, feel free to ignore.