search

lcimeni / chase

0 stars 0 forks source link

NowSecure dynamic analysis: App is Encoding Sensitive Information Using Outdated or Insecure Cryptography #14

Open lcimeni opened 3 years ago

lcimeni commented 3 years ago

Finding Description

The application was found to operate weak cryptographic algorithms on sensitive data while exercising the app. These outdated algorithms are often in violation of common compliance standards and can be vulnerable to publicly-disclosed and non-public attacks. The sensitive data being encoded with the weak algorithm is also at a greater risk of being exposed due to the often trivial effort to decode the data.

Steps to Reproduce

Source code should be inspected for uses of weak cryptographic algorithms. These inspections may also reveal the use of weak cryptography by third party code. Please avoid the following weak cryptographic algorithms: RC4, DES, DES3, MD5, SHA1, MD4, ECB, & CBC. NowSecure's automated testing for this vulnerability analyzes CommonCrypto API requests that use easily decrypted algorithms and then attempts to decode or decrypt sensitive data.

Business Impact

Weak cryptographic algorithms have well documented vulnerabilities that can cause issues relating to loss of confidentiality or an inability to maintain the integrity of business sensitive processes. The use of outdated cryptography may also affect an organization's regulatory and compliance certifications.

Remediation Resources

Recommended Fix

Do not use weak cryptographic algorithms to protect information and processes such as RC4, DES, DES3, MD5, SHA1, MD4, ECB, & CBC as well as algorithms discussed here. For guidance on best practices in picking strong cryptography, please see OWASP's Cryptographic Storage Cheat_Sheet. Details and code snippets can be found at https://developer.apple.com/documentation/uikit/protecting_the_user_s_privacy/encrypting_your_app_s_files. The Findings Evidence table provides the instances where an insecure method was used paired with the data that was encrypted.

Code Samples

Good Code Example (.swift)

//sha256 hash to validate an APIKey
#import <CommonCrypto/CommonDigest.h>
func sha256(string: String) -> Data? {
guard let messageData = string.data(using:String.Encoding.utf8) else { return nil }
var digestData = Data(count: Int(CC_SHA256_DIGEST_LENGTH))

_ = digestData.withUnsafeMutableBytes {digestBytes in
messageData.withUnsafeBytes {messageBytes in
CC_SHA256(messageBytes, CC_LONG(messageData.count), digestBytes)
}
}
return digestData
}

let bundledAPIhash = "..." //sha256 hash of the API key bundled with the app
let APIKey = "..." //potential copy of the API key received over a secure connection with a server
let hashedAPIKey = sha256(APIKey)
if bundledAPIhash == hashedAPIKey {
print("The API Key is correct")
} else {
print("The API Key is incorrect")
}

Good Code Example (.objc)

//sha256 hashing
#import <CommonCrypto/CommonDigest.h>
+ (NSData *)doSha256:(NSData *)dataIn {
NSMutableData *macOut = [NSMutableData dataWithLength:CC_SHA256_DIGEST_LENGTH];
CC_SHA256(dataIn.bytes, dataIn.length, macOut.mutableBytes);
return macOut;
}

NSString *bundledAPIHashed = @"..." //sha256 hash of the API key bundled with the app
NSString *APIKey = @"..." //potential copy of the API key received over a secure connection with a server
NSString *hashedAPIKey = [APIKey sha256]
if ([bundledAPIHashed isEqualToString:hashedAPIKey]) 
{
printf("The secret is correct")
} else
{
printf("The secret is incorrect")
}

Additional Guidance

Risk and Regulatory Information

Severity: medium CVSS: 4.8

Application

See more detail in the NowSecure Report

lcimeni commented 3 years ago

Update: This finding has been permanently hidden by Lorenz Cimeni, so no additional action required.

Powered by NowSecure Platform

lcimeni commented 3 years ago

Update: This finding is no longer marked as hidden. Additional action is required. Change made by: Lorenz Cimeni.

Powered by NowSecure Platform