The app uses insecure cryptographic hashing algorithms.
It is generally recommended to avoid using insecure cryptographic hashing algorithms, such as MD2, MD4, MD5, and SHA1 in new apps. These algorithms have various vulnerabilities and are not considered secure for use in cryptographic operations.
For example, the SHA1 family of algorithms is explicitly discouraged by the National Institute of Standards and Technology (NIST). NIST recommends transitioning away due to a serious cryptanalytic attack announced about SHA1's collision resistance - a necessary property for its use in digital signature apps.
Evaluation Criteria:
The evidence table lists all uses of weak encryption algorithms:
Method: method that applies the hashing algorithm
Count: number of times the method was used
Format: encoding format of the value (base64 or plaintext)
Value: hashed value
Locations: Locations data including IDs that can be resolved using NowSecure Locations API. It represents the locations of the reported data within the app.
Inspect the source code looking for the classes and methods indicated by the evidence table. If using these algorithms is part of your app's intended functionality- and they are used in any security relevant context (e.g. to protect the integrity of sensitive data)- then this should be considered a vulnerability. The recommendation steps must be followed.
Please note that the weak hashing algorithms might be used by third-party libraries included by your app. You should be able to determine if your app is using any functionality from those libraries which implies the use of these algorithms.
Steps to Reproduce
While the application is exercised on a physical device, all cryptographic operations are monitored. Those which use known insecure hashing algorithms are flagged. This methodology is applied to the entirety of the binary application and may include results from 3rd party code or libraries.
Remediation Resources
If you are using an insecure cryptographic hash function in an existing app, consider replacing it with a secure one as soon as possible. This will help to ensure the security and integrity of your app.
Utilize cryptographic hashing algorithms that are considered secure and advocated for in best practice recommendation.
Guidance can be found from Apple.
Finding Description
The app uses insecure cryptographic hashing algorithms.
It is generally recommended to avoid using insecure cryptographic hashing algorithms, such as
MD2
,MD4
,MD5
, andSHA1
in new apps. These algorithms have various vulnerabilities and are not considered secure for use in cryptographic operations.For example, the
SHA1
family of algorithms is explicitly discouraged by the National Institute of Standards and Technology (NIST). NIST recommends transitioning away due to a serious cryptanalytic attack announced aboutSHA1
's collision resistance - a necessary property for its use in digital signature apps.Evaluation Criteria:
The evidence table lists all uses of weak encryption algorithms:
Inspect the source code looking for the classes and methods indicated by the evidence table. If using these algorithms is part of your app's intended functionality- and they are used in any security relevant context (e.g. to protect the integrity of sensitive data)- then this should be considered a vulnerability. The recommendation steps must be followed.
Please note that the weak hashing algorithms might be used by third-party libraries included by your app. You should be able to determine if your app is using any functionality from those libraries which implies the use of these algorithms.
Steps to Reproduce
While the application is exercised on a physical device, all cryptographic operations are monitored. Those which use known insecure hashing algorithms are flagged. This methodology is applied to the entirety of the binary application and may include results from 3rd party code or libraries.
Remediation Resources
If you are using an insecure cryptographic hash function in an existing app, consider replacing it with a secure one as soon as possible. This will help to ensure the security and integrity of your app.
Utilize cryptographic hashing algorithms that are considered secure and advocated for in best practice recommendation. Guidance can be found from Apple.
For more guidance on best practices in picking strong cryptography, please see OWASP's Cryptographic Storage Cheat Sheet and NIST's documentation on hashing functions.
Risk and Regulatory Information
Severity: info
Policy Category: Review Required
Application
See more detail in the NowSecure Report
Evidence
| Method | Count | Format | Value | |---|---|---|---| | CC_SHA1 | 1 | plaintext | b3979d1be6f33e19bb01d61ac367a321 | | CC_SHA1 | 1 | plaintext | 08D05656-2BE4-4DFB-94D8-910657C9A863F507A71D-4326-4946-8EE1-F76C892C6475 |