Skip to content

MASTG-TEST-0211: Broken Hashing Algorithms

Overview

To test for the use of broken hashing algorithms in iOS apps, we need to focus on APIs from cryptographic frameworks and libraries that are used to perform hashing operations.

  • CommonCrypto: CommonDigest.h defines the following hashing algorithms:

    • CC_MD2
    • CC_MD4
    • CC_MD5
    • CC_SHA1
    • CC_SHA224
    • CC_SHA256
    • CC_SHA384
    • CC_SHA512

  • CryptoKit: Supports three cryptographically secure hashing algorithms and two insecure ones in a dedicated class called Insecure:

    • SHA256
    • SHA384
    • SHA512
    • Insecure.MD5
    • Insecure.SHA1

Note: the Security framework only supports asymmetric algorithms and is therefore out of scope for this test.

Steps

  1. Use Exploring the App Package to extract the relevant binaries from app package.
  2. Use Static Analysis on iOS to look for the relevant APIs in the app binaries.

Observation

The output should contain the disassembled code of the functions using the relevant cryptographic functions.

Evaluation

The test case fails if you can find the use of broken hashing algorithms within the source code. For example:

  • MD5
  • SHA-1

Further Validation Required:

Inspect each reported code location using Reviewing Disassembled Objective-C and Swift Code to determine whether the algorithm is used in a security-relevant context to protect sensitive data:

  • Determine whether the hashing algorithm is used for cryptographic security purposes rather than for non-security tasks such as checksums. For example, using MD5 for hashing passwords is disallowed by NIST, but using MD5 for checksums where security is not a concern is generally acceptable.

Stay up-to-date: This is a non-exhaustive list of broken algorithms. Make sure to check the latest standards and recommendations from organizations such as the National Institute of Standards and Technology (NIST), the German Federal Office for Information Security (BSI) or any other relevant authority in your region. This is important when building an app that uses data that will be stored for a long time. Make sure you follow the NIST recommendations from NIST IR 8547 "Transition to Post-Quantum Cryptography Standards", 2024.

Demos

MASTG-DEMO-0015: Uses of Broken Hashing Algorithms in CommonCrypto with r2 MASTG-DEMO-0016: Uses of Broken Hashing Algorithms in CryptoKit with r2