The application was found to operate weak cryptographic algorithms on sensitive data while exercising the app. These outdated algorithms are often in violation of common compliance standards and can be vulnerable to publicly-disclosed and non-public attacks.
The sensitive data being encoded with the weak algorithm is also at a greater risk of being exposed due to the often trivial effort to decode the data.
Steps to Reproduce
Source code should be inspected for uses of weak cryptographic algorithms. These inspections may also reveal the use of weak cryptography by third party code. Please avoid the following weak cryptographic algorithms: RC4, DES, DES3, MD5, SHA1, MD4, ECB, & CBC.
NowSecure's automated testing for this vulnerability analyzes CommonCrypto API requests that use easily decrypted algorithms and then attempts to decode or decrypt sensitive data.
Business Impact
Weak cryptographic algorithms have well documented vulnerabilities that can cause issues relating to loss of confidentiality or an inability to maintain the integrity of business sensitive processes. The use of outdated cryptography may also affect an organization's regulatory and compliance certifications.
//sha256 hash to validate an APIKey
#import <CommonCrypto/CommonDigest.h>
func sha256(string: String) -> Data? {
guard let messageData = string.data(using:String.Encoding.utf8) else { return nil }
var digestData = Data(count: Int(CC_SHA256_DIGEST_LENGTH))
_ = digestData.withUnsafeMutableBytes {digestBytes in
messageData.withUnsafeBytes {messageBytes in
CC_SHA256(messageBytes, CC_LONG(messageData.count), digestBytes)
}
}
return digestData
}
let bundledAPIhash = "..." //sha256 hash of the API key bundled with the app
let APIKey = "..." //potential copy of the API key received over a secure connection with a server
let hashedAPIKey = sha256(APIKey)
if bundledAPIhash == hashedAPIKey {
print("The API Key is correct")
} else {
print("The API Key is incorrect")
}
Good Code Example (.objc)
//sha256 hashing
#import <CommonCrypto/CommonDigest.h>
+ (NSData *)doSha256:(NSData *)dataIn {
NSMutableData *macOut = [NSMutableData dataWithLength:CC_SHA256_DIGEST_LENGTH];
CC_SHA256(dataIn.bytes, dataIn.length, macOut.mutableBytes);
return macOut;
}
NSString *bundledAPIHashed = @"..." //sha256 hash of the API key bundled with the app
NSString *APIKey = @"..." //potential copy of the API key received over a secure connection with a server
NSString *hashedAPIKey = [APIKey sha256]
if ([bundledAPIHashed isEqualToString:hashedAPIKey])
{
printf("The secret is correct")
} else
{
printf("The secret is incorrect")
}
Finding Description
The application was found to operate weak cryptographic algorithms on sensitive data while exercising the app. These outdated algorithms are often in violation of common compliance standards and can be vulnerable to publicly-disclosed and non-public attacks. The sensitive data being encoded with the weak algorithm is also at a greater risk of being exposed due to the often trivial effort to decode the data.
Steps to Reproduce
Source code should be inspected for uses of weak cryptographic algorithms. These inspections may also reveal the use of weak cryptography by third party code. Please avoid the following weak cryptographic algorithms: RC4, DES, DES3, MD5, SHA1, MD4, ECB, & CBC. NowSecure's automated testing for this vulnerability analyzes CommonCrypto API requests that use easily decrypted algorithms and then attempts to decode or decrypt sensitive data.
Business Impact
Weak cryptographic algorithms have well documented vulnerabilities that can cause issues relating to loss of confidentiality or an inability to maintain the integrity of business sensitive processes. The use of outdated cryptography may also affect an organization's regulatory and compliance certifications.
Remediation Resources
Recommended Fix
Do not use weak cryptographic algorithms to protect information and processes such as RC4, DES, DES3, MD5, SHA1, MD4, ECB, & CBC as well as algorithms discussed here. For guidance on best practices in picking strong cryptography, please see OWASP's Cryptographic Storage Cheat_Sheet. Details and code snippets can be found at https://developer.apple.com/documentation/uikit/protecting_the_user_s_privacy/encrypting_your_app_s_files. The Findings Evidence table provides the instances where an insecure method was used paired with the data that was encrypted.
Code Samples
Good Code Example (.swift)
Good Code Example (.objc)
Additional Guidance
Risk and Regulatory Information
Severity: medium CVSS: 4.8
Application
See more detail in the NowSecure Report