search

infobip / mobile-messaging-sdk-ios

Mobile Messaging SDK for iOS
Apache License 2.0
54 stars 19 forks source link

NowSecure dynamic analysis: App is Encoding Sensitive Information Using Outdated or Insecure Cryptography #47

Closed Chanick-Park closed 10 months ago

Chanick-Park commented 1 year ago

Hi Team,

We received a report about a security problem with the cryptographic algorithms of the app currently in service. Please see the details below and avoid the weak cryptographic algorithms to protect information and processes Thank you,

Finding Description

The application was found to operate weak cryptographic algorithms on sensitive data while exercising the app. These outdated algorithms are often in violation of common compliance standards and can be vulnerable to publicly-disclosed and non-public attacks. The sensitive data being encoded with the weak algorithm is also at a greater risk of being exposed due to the often trivial effort to decode the data.

Steps to Reproduce

Source code should be inspected for uses of weak cryptographic algorithms. These inspections may also reveal the use of weak cryptography by third party code. Please avoid the following weak cryptographic algorithms: RC4, DES, DES3, MD5, SHA1, MD4, ECB, & CBC. NowSecure's automated testing for this vulnerability analyzes CommonCrypto API requests that use easily decrypted algorithms and then attempts to decode or decrypt sensitive data.

Business Impact

Weak cryptographic algorithms have well documented vulnerabilities that can cause issues relating to loss of confidentiality or an inability to maintain the integrity of business sensitive processes. The use of outdated cryptography may also affect an organization's regulatory and compliance certifications.

Remediation Resources

Recommended Fix Do not use weak cryptographic algorithms to protect information and processes such as RC4, DES, DES3, MD5, SHA1, MD4, ECB, & CBC as well as algorithms discussed here. For guidance on best practices in picking strong cryptography, please see OWASP's Cryptographic Storage Cheat_Sheet. Details and code snippets can be found at https://developer.apple.com/documentation/uikit/protecting_the_user_s_privacy/encrypting_your_app_s_files. The Findings Evidence table provides the instances where an insecure method was used paired with the data that was encrypted.

Code Samples Good Code Example (.swift)

//sha256 hash to validate an APIKey
#import <CommonCrypto/CommonDigest.h>
func sha256(string: String) -> Data? {
guard let messageData = string.data(using:String.Encoding.utf8) else { return nil }
var digestData = Data(count: Int(CC_SHA256_DIGEST_LENGTH))

_ = digestData.withUnsafeMutableBytes {digestBytes in
messageData.withUnsafeBytes {messageBytes in
CC_SHA256(messageBytes, CC_LONG(messageData.count), digestBytes)
}
}
return digestData
}

let bundledAPIhash = "..." //sha256 hash of the API key bundled with the app
let APIKey = "..." //potential copy of the API key received over a secure connection with a server
let hashedAPIKey = sha256(APIKey)
if bundledAPIhash == hashedAPIKey {
print("The API Key is correct")
} else {
print("The API Key is incorrect")
}

Good Code Example (.objc)

//sha256 hashing
#import <CommonCrypto/CommonDigest.h>
+ (NSData *)doSha256:(NSData *)dataIn {
NSMutableData *macOut = [NSMutableData dataWithLength:CC_SHA256_DIGEST_LENGTH];
CC_SHA256(dataIn.bytes, dataIn.length, macOut.mutableBytes);
return macOut;
}

NSString *bundledAPIHashed = @"..." //sha256 hash of the API key bundled with the app
NSString *APIKey = @"..." //potential copy of the API key received over a secure connection with a server
NSString *hashedAPIKey = [APIKey sha256]
if ([bundledAPIHashed isEqualToString:hashedAPIKey]) 
{
printf("The secret is correct")
} else
{
printf("The secret is incorrect")
}

Additional Guidance This link provides a general overview of cryptography concepts: https://developer.apple.com/library/archive/documentation/Security/Conceptual/cryptoservices/CryptographyConcepts/CryptographyConcepts.html This resources describes asymmetric and symmetric keys for cryptography: https://developer.apple.com/documentation/security/certificate_key_and_trust_services/keys/using_keys_for_encryption Risk and Regulatory Information Severity: medium CVSS: 4.8

CWE: 312 FISMA MED: SC-28 PROTECTION OF INFORMATION AT REST Risk OWASP: Mobile Top 10: M2-Insecure Data Storage, MASVS 3.2 GDPR: Risks violating Article 25, Risks violating Article 32 FFIEC: May violate D3.PC.Am.A.1 PCI: May violate requirement 3.1 through 3.4 HIPAA: May violate §164.312(a)(1): Standard: Access control. CCPA: Risks violating CCPA: exfiltration, theft, or disclosure of PII CWE Top 25: 2021 CWE Top 25 Most Dangerous Software Errors

riskpp commented 1 year ago

Hello @Chanick-Park, thank you for the information, we have task about that in our backlog already, we will inform you about ETAs later.

riskpp commented 10 months ago

Hello @Chanick-Park it was fixed in the version 12.1.0

Chanick-Park commented 10 months ago

@riskpp Sounds great! Thank you.