Hashing algorithm with known collision used

(Deprecated) Help: ExpoKit
,
1

Our penetration team has raised below point:

Cryptographic hash algorithms such as MD2, MD4, MD5, MD6, HAVAL-128, HMAC-MD5, DSA (which uses SHA-1), RIPEMD, RIPEMD-128, RIPEMD-160, HMACRIPEMD160 and SHA-1 are no longer considered secure, because it is possible to have collisions (little computational effort is enough to find two or more different inputs that produce the same hash).

Using weak hashing algorithms could result in sensitive data exposure, key leakage, broken authentication, insecure sessions, and spoofing attacks.

Recommendations:
it is recommended to be using safer/stronger hashing alternatives, such as SHA-256, SHA-512, SHA-3 etc.

this SHA-1 reference they found it android “SecureHashUtil” file and we are unable to find a solution to resolve this. Need help

2

Hi @imiksa

Did they just find references to SHA-1 code in your app? Or did they find that your app was actually calling those functions?

As far as I can see SecureHashUtil is part of facebook/fresco, which is “a powerful system for displaying images in Android applications”. As far as I can see the hash is used as a cache key. So (just guessing) it seems like the worst that might happen is you display the wrong image somewhere. If you’re not displaying user-provided images then perhaps this is not a problem.

Do you have the SecureHashUtil.java file somewhere in your project directory? (Probably somewhere under node_modules, I suppose.) If so, what dependency is pulling it in? You might be able to use patch-package to patch it to use SHA 256 instead of SHA 1.