search

lcimeni / tiktok-ios

0 stars 0 forks source link

NowSecure dynamic analysis: App is Using Outdated or Insecure Cryptography #48

Open lcimeni opened 3 years ago

lcimeni commented 3 years ago

Finding Description

The application was found to use weak cryptographic algorithms while exercising the app. These outdated algorithms are often in violation of common compliance standards and can be vulnerable to publicly-disclosed and non-public attacks. In cases of weak cryptographic methods being used in an app, an attacker may be able to break the confidentiality and integrity of app data.

Steps to Reproduce

Source code should be inspected for uses of weak cryptographic algorithms. These inspections may also reveal the use of weak cryptography by third party code. Please avoid the following weak cryptographic algorithms: RC4, DES, DES3, MD5, SHA1, MD4, ECB, & CBC. NowSecure's automated testing for this vulnerability examines CommonCrypto API requests and identifies easily decrypted algorithms in use.

Business Impact

Weak cryptographic algorithms have well documented vulnerabilities that can cause issues relating to loss of confidentiality or an inability to maintain the integrity of business sensitive processes. The use of outdated cryptography may also affect an organization's regulatory and compliance certifications.

Remediation Resources

Recommended Fix

Do not use weak cryptographic algorithms to protect information and processes such as RC4, DES, DES3, MD5, SHA1, MD4, ECB, & CBC as well as algorithms discussed here. For guidance on best practices in picking strong cryptography, please see OWASP's Cryptographic Storage Cheat_Sheet. Details and code snippets can be found at https://developer.apple.com/documentation/uikit/protecting_the_user_s_privacy/encrypting_your_app_s_files.

Code Samples

Good Code Example (.swift)

//sha256 hashing
#import <CommonCrypto/CommonDigest.h>
func sha256(string: String) -> Data? {
guard let messageData = string.data(using:String.Encoding.utf8) else { return nil }
var digestData = Data(count: Int(CC_SHA256_DIGEST_LENGTH))

_ = digestData.withUnsafeMutableBytes {digestBytes in
messageData.withUnsafeBytes {messageBytes in
CC_SHA256(messageBytes, CC_LONG(messageData.count), digestBytes)
}
}
return digestData
}

let secretHashed = "..." //SHA256 hash of secret bundled in program 
let potentialSecret = "..." //Potential secret obtained from server with secure connection
let potentialHashed = sha256(string: potentialSecret)
if secretHashed == potentialHashed {
print("The secret is correct")
} else {
print("The secret is incorrect")
}

Good Code Example (.objc)

//sha256 hashing
#import <CommonCrypto/CommonDigest.h>
+ (NSData *)doSha256:(NSData *)dataIn {
NSMutableData *macOut = [NSMutableData dataWithLength:CC_SHA256_DIGEST_LENGTH];
CC_SHA256(dataIn.bytes, dataIn.length, macOut.mutableBytes);
return macOut;
}

NSString *secretHashed = @"..." //sha256 hash of secret bundled in program
NSString *potentialSecret = @"..." //Potential secret obtained from server with secure connection
NSString *potentialHashed = [potentialSecret doSha256]
if ([secretHashed isEqualToString:secretHashed]) 
{
printf("The secret is correct")
} else
{
printf("The secret is incorrect")
}

Additional Guidance

Risk and Regulatory Information

Severity: low CVSS: 3.7

Application

See more detail in the NowSecure Report