search

googlemaps / ios-places-sdk

Apache License 2.0
8 stars 2 forks source link

Google Places: App Security issues found in GMP for iOS #9

Open andrewdhan opened 2 months ago

andrewdhan commented 2 months ago

Environment details

  1. Google Places
  2. iOS
  3. Places version 8.2.1

Our dynamic app security scan provider, Data Theorem, identified that

[GMP uses] the CC_MD hashing functions, which leverage hashing algorithms (including MD2 and MD5) that are proven to be vulnerable to collision attacks, and are unsuitable for modern use.

Apple has officially deprecated these APIs in the iOS 13.0 SDK. They state in the CommonCrypto headers:

"These functions are cryptographically broken and should not be used in security contexts. Clients should migrate to SHA256 (or stronger)."

If CC_MD hashing functions are used in a security context, are there plans to update the SDK with use of stronger algorithms with better collision resistance properties, such as SHA-256 or SHA-512?

If CC_MD is not being used in a security context, can you confirm so?

Thank you!

Stack trace

-[GMPx_PHTSnapshot emptyConfiguration:]
-[GMPx_PHTSnapshot isValidFlagsHashInSnapshot:]
-[GMPx_PHTPhenotypeConfiguration initWithAllFlagsDictionary:serverToken:userID:tokens:configurationVersion:]
-[_OBJC_CLASS_$_NSMutableArray init]
-[GMPx_PHTSnapshot emptyConfiguration:]
-[GMPx_PHTSnapshot isValidFlagsHashInSnapshot:]
-[GMPx_PHTPhenotypeConfiguration initWithAllFlagsDictionary:serverToken:userID:tokens:configurationVersion:]
-[_OBJC_CLASS_$_NSMutableArray init]
-[GMPx_CCTClearcutLogEvent initWithLogSource:isAnonymous:clock:]
-[GMPx_CCTClearcutLogEvent initWithLogSource:isAnonymous:]
-[GMPx_CCTClearcutLogEvent initWithLogSource:]
@"%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x"
-[GMPx_PHTSnapshot emptyConfiguration:]
-[GMPx_PHTSnapshot isValidFlagsHashInSnapshot:]
-[GMPx_PHTPhenotypeConfiguration initWithAllFlagsDictionary:serverToken:userID:tokens:configurationVersion:]
-[_OBJC_CLASS_$_NSMutableArray init]
wangela commented 2 months ago

If you would like to upvote the priority of this issue, please comment below or react on the original post above with :+1: so we can see what is popular when we triage.

@andrewdhan Thank you for opening this issue. 🙏 Please check out these other resources that might help you get to a resolution in the meantime:

This is an automated message, feel free to ignore.