Open lcimeni opened 3 years ago
Update: This finding has been marked as ‘Pass’ by Lorenz Cimeni, so no additional action required.
Powered by NowSecure Platform
Update: This finding has been permanently hidden by Lorenz Cimeni, so no additional action required.
Powered by NowSecure Platform
Update: The risk severity (CVSS score) of this finding has been modified from 10 to 0 by Lorenz Cimeni.
Powered by NowSecure Platform
Update: This finding is no longer marked as 'Pass'. Additional action is required. Change made by: Lorenz Cimeni.
Powered by NowSecure Platform
Update: This finding is no longer marked as hidden. Additional action is required. Change made by: Lorenz Cimeni.
Powered by NowSecure Platform
Finding Description
The application was found to use weak cryptographic algorithms while exercising the app. These outdated algorithms are often in violation of common compliance standards and can be vulnerable to publicly-disclosed and non-public attacks. In cases of weak cryptographic methods being used in an app, an attacker may be able to break the confidentiality and integrity of app data.
Steps to Reproduce
Source code should be inspected for uses of weak cryptographic algorithms. These inspections may also reveal the use of weak cryptography by third party code. Please avoid the following weak cryptographic algorithms: RC4, DES, DES3, MD5, SHA1, MD4, ECB, & CBC. NowSecure's automated testing for this vulnerability examines CommonCrypto API requests and identifies easily decrypted algorithms in use.
Business Impact
Weak cryptographic algorithms have well documented vulnerabilities that can cause issues relating to loss of confidentiality or an inability to maintain the integrity of business sensitive processes. The use of outdated cryptography may also affect an organization's regulatory and compliance certifications.
Remediation Resources
Recommended Fix
Do not use weak cryptographic algorithms to protect information and processes such as RC4, DES, DES3, MD5, SHA1, MD4, ECB, & CBC as well as algorithms discussed here. For guidance on best practices in picking strong cryptography, please see OWASP's Cryptographic Storage Cheat_Sheet. Details and code snippets can be found at https://developer.apple.com/documentation/uikit/protecting_the_user_s_privacy/encrypting_your_app_s_files.
Code Samples
Good Code Example (.swift)
Good Code Example (.objc)
Additional Guidance
Risk and Regulatory Information
Severity: info CVSS: 10
Application
See more detail in the NowSecure Report