I am using the open source MobSF security framework to scan my Swift project’s source code and its dependences for vulnerabilities. Most things look pretty good however I’m concerned that it is showing me that encryption algorithms (MD5, SHA1) in my dependencies are not sufficiently secure.
What would be standard practice for solving this? I made sure to pull the latest branches for most of these but they seem to insist on using outdated algos. I am reluctant to go in and have to change their source code only to have it wiped out each time I rebuild the Podfile.
First, it depends on why they’re using these algorithms. For certain uses, there are no security problems with MD5 or SHA-1, and they may be necessary for compatibility with existing standards or backward compatibility.
As an example, PBKDF2 is perfectly secure using SHA-1 as its hash. It doesn’t require a very strong hash function to maintain its own security. It’s even secure using MD5. Switching to SHA-2 with PBKDF2 doesn’t improve security, it’s just "security hygiene," which is "avoid algorithms that have known problems even being in your code, even if they cause no problems in your particular use case." Security hygiene is a good practice, but it’s not the same thing as security.
For other use cases, the security of the hash function is critical. If a framework is authenticating arbitrary messages using MD5, that’s completely broken. Don’t take this answer to suggest that algorithms don’t matter. They do! But not in every use case. And if you want to decode credit card swipe transactions, you’re probably going to need DES to be in your code, which is horribly broken, but you’re still going to need it because that’s how magnetic stripes are encrypted. It doesn’t make your framework "insecure."
When you say "but they seem to insist on using outdated algos," I assume you mean you opened a PR and they rejected it, in which case I assume they have a good reason (such as backward compatibility when there is no actual security problem). If you haven’t, then obviously the first step would be to open a PR.
That said, if you want to change this because you feel there is an actual security problem that they will not resolve, or purely for hygiene, then with CocoaPods you would fork the project, modify it, and point to your own version using the
source attribute to the
Maintaining a cryptography framework myself, I often get bug reports that are simply wrong from developers using these scanners. Make sure that you know what the scanner is telling you and how to evaluate the findings. False positives are extremely common with these. These tools are useful, but you need to have some expertise to read their reports.
Answered By – Rob Napier
Answer Checked By – Robin (BugsFixing Admin)