The application was found to use weak cryptographic algorithms while exercising the app. These outdated algorithms are often in violation of common compliance standards and can be vulnerable to publicly-disclosed and non-public attacks. In cases of weak cryptographic methods being used in an app, an attacker may be able to break the confidentiality and integrity of app data.
Steps to Reproduce
Source code should be inspected for uses of weak cryptographic algorithms. These inspections may also reveal the use of weak cryptography by third party code. Please avoid the following weak cryptographic algorithms: RC4, DES, DES3, MD5, SHA1, MD4, ECB, & CBC.
NowSecure's automated testing for this vulnerability examines CommonCrypto API requests and identifies easily decrypted algorithms in use.
Business Impact
Weak cryptographic algorithms have well documented vulnerabilities that can cause issues relating to loss of confidentiality or an inability to maintain the integrity of business sensitive processes. The use of outdated cryptography may also affect an organization's regulatory and compliance certifications.
Finding Description
The application was found to use weak cryptographic algorithms while exercising the app. These outdated algorithms are often in violation of common compliance standards and can be vulnerable to publicly-disclosed and non-public attacks. In cases of weak cryptographic methods being used in an app, an attacker may be able to break the confidentiality and integrity of app data.
Steps to Reproduce
Source code should be inspected for uses of weak cryptographic algorithms. These inspections may also reveal the use of weak cryptography by third party code. Please avoid the following weak cryptographic algorithms: RC4, DES, DES3, MD5, SHA1, MD4, ECB, & CBC. NowSecure's automated testing for this vulnerability examines CommonCrypto API requests and identifies easily decrypted algorithms in use.
Business Impact
Weak cryptographic algorithms have well documented vulnerabilities that can cause issues relating to loss of confidentiality or an inability to maintain the integrity of business sensitive processes. The use of outdated cryptography may also affect an organization's regulatory and compliance certifications.
Remediation Resources
Recommended Fix
Do not use weak cryptographic algorithms to protect information and processes such as RC4, DES, DES3, MD5, SHA1, MD4, ECB, & CBC as well as algorithms discussed here. For guidance on best practices in picking strong cryptography, please see OWASP's Cryptographic Storage Cheat_Sheet. Details and code snippets can be found at https://developer.apple.com/documentation/uikit/protecting_the_user_s_privacy/encrypting_your_app_s_files.
Code Samples
Good Code Example (.swift)
Good Code Example (.objc)
Additional Guidance
Risk and Regulatory Information
Severity: low CVSS: 3.7
Application
See more detail in the NowSecure Report