SHA-1 usaged flagged as a security risk

[woxblom]

We just had a security penetration review of our app and SHA-1 usage in mixpanel was flagged as a security risk.

CWE-327 Use of a Broken or Risky Cryptographic Algorithm

com.mixpanel.android.util.ImageStore

public ImageStore(Context context, String directoryName, RemoteService poster) {
        mDirectory = context.getDir(directoryName, Context.MODE_PRIVATE);
        mPoster = poster;
        mConfig = MPConfig.getInstance(context);
        MessageDigest useDigest;
        try {
            useDigest = MessageDigest.getInstance("SHA1"); <-------
        } catch (NoSuchAlgorithmException e) {
            MPLog.w(LOGTAG, "Images won't be stored because this platform doesn't supply a SHA1 hash function");
            useDigest = null;
        }

com.mixpanel.android.java_websocket.drafts.Draft_10

private String generateFinalKey( String in ) {
        String seckey = in.trim();
        String acc = seckey + "258EAFA5-E914-47DA-95CA-C5AB0DC85B11";
        MessageDigest sh1;
        try {
            sh1 = MessageDigest.getInstance( "SHA1" ); <------
        } catch ( NoSuchAlgorithmException e ) {
            throw new RuntimeException( e );
        }
        return Base64.encodeBytes( sh1.digest( acc.getBytes() ) );
    }

Is this code used? If it is can this be changed to something like SHA-256 instead? https://github.com/MobSF/owasp-mstg/blob/master/Document/0x04g-Testing-Cryptography.md#identifying-insecure-andor-deprecated-cryptographic-algorithms-mstg-crypto-4

[zihejia]

hi @woxblom , if you don't use Mixpanel for messaging or A/B testing(M&E), you can use our latest beta version without M&E instead. https://github.com/mixpanel/mixpanel-android/releases/tag/v6.0.0-beta1.

Since M&E is deprecated, we will not likely change the code, unfortunately. Sorry for the incovenience.