The app uses insecure cryptographic hashing algorithms.
It is generally recommended to avoid using insecure cryptographic hashing algorithms, such as MD2, MD4, MD5, and SHA1 in new applications. These algorithms have been found to have various vulnerabilities, and are not considered secure for use in cryptographic operations.
For example, the SHA1 family of algorithms is explicitly discouraged by the National Institute of Standards and Technology (NIST). NIST recommends transitioning away due to a serious cryptanalytic attack announced about SHA1's collision resistance - a necessary property for its use in digital signature apps.
Evaluation Criteria:
The evidence table lists all uses of weak hashing algorithms:
Class: the class that used the hashing algorithm
Method: the method that used the hashing algorithm
Algorithm: the hashing algorithm used
Issue: the library that provided the crypto API
Hash Input: the data being ingested by the hashing algorithm represented as hex.
Locations: locations data including IDs that can be resolved using NowSecure Locations API. It represents the locations of the reported data within the app.
Inspect the source code for the classes and methods indicated by the evidence table. If using these algorithms is part of your app's intended functionality- and they are used in any security relevant context (e.g. to protect the integrity of sensitive data)- then this should be considered a vulnerability. The recommended steps must be followed.
Note: the weak hashing algorithms might be used by a direct package dependency of your app or a dependency of a third-party library included in your project. If that's the case, update the third-party library or use a different one.
Steps to Reproduce
While the application runs, cryptographic APIs are monitored to identify any insecure usage of cryptographic algorithms or primitives on data that is considered potentially sensitive by our automation. Insecure hashing algorithms include uses of MD2, MD4, MD5 and SHA1.
Remediation Resources
If you are using an insecure cryptographic hash function in an existing app, consider replacing it with a secure one as soon as possible. This will help to ensure the security and integrity of your app.
Utilize cryptographic hashing algorithms that are considered secure and advocated for in best practice recommendation.
Guidance can be found for Android.
Finding Description
The app uses insecure cryptographic hashing algorithms.
It is generally recommended to avoid using insecure cryptographic hashing algorithms, such as
MD2
,MD4
,MD5
, andSHA1
in new applications. These algorithms have been found to have various vulnerabilities, and are not considered secure for use in cryptographic operations.For example, the
SHA1
family of algorithms is explicitly discouraged by the National Institute of Standards and Technology (NIST). NIST recommends transitioning away due to a serious cryptanalytic attack announced aboutSHA1
's collision resistance - a necessary property for its use in digital signature apps.Evaluation Criteria:
The evidence table lists all uses of weak hashing algorithms:
Inspect the source code for the classes and methods indicated by the evidence table. If using these algorithms is part of your app's intended functionality- and they are used in any security relevant context (e.g. to protect the integrity of sensitive data)- then this should be considered a vulnerability. The recommended steps must be followed.
Note: the weak hashing algorithms might be used by a direct package dependency of your app or a dependency of a third-party library included in your project. If that's the case, update the third-party library or use a different one.
Steps to Reproduce
While the application runs, cryptographic APIs are monitored to identify any insecure usage of cryptographic algorithms or primitives on data that is considered potentially sensitive by our automation. Insecure hashing algorithms include uses of
MD2
,MD4
,MD5
andSHA1
.Remediation Resources
If you are using an insecure cryptographic hash function in an existing app, consider replacing it with a secure one as soon as possible. This will help to ensure the security and integrity of your app.
Utilize cryptographic hashing algorithms that are considered secure and advocated for in best practice recommendation. Guidance can be found for Android.
For more guidance on best practices in picking strong cryptography, please see OWASP's Cryptographic Storage Cheat Sheet and NIST's documentation on hashing functions.
Risk and Regulatory Information
Severity: info
Policy Category: Review Required
Application
See more detail in the NowSecure Report
Evidence
| Class | Method | Algorithm | Hash Input | |---|---|---|---| | java.security.MessageDigest | getInstance | MD5 | | | java.security.MessageDigest$Delegate | update | MD5 | | | java.security.MessageDigest | getInstance | MD5 | | ... and 57 more