ios-maps-sdk
ios-maps-sdk copied to clipboard
googlemaps
Google Maps: App Security issues found in GMS for iOS
Environment details
- Google Maps
- iOS
- Maps version 8.2.0
Our dynamic app security scan provider, Data Theorem, identified that
[GMS uses] the CC_MD hashing functions, which leverage hashing algorithms (including MD2 and MD5) that are proven to be vulnerable to collision attacks, and are unsuitable for modern use.
Apple has officially deprecated these APIs in the iOS 13.0 SDK. They state in the CommonCrypto headers:
"These functions are cryptographically broken and should not be used in security contexts. Clients should migrate to SHA256 (or stronger)."
If CC_MD hashing functions are used in a security context, are there plans to update the SDK with use of stronger algorithms with better collision resistance properties, such as SHA-256 or SHA-512?
If CC_MD is not being used in a security context, can you confirm so?
Thank you!
Stack trace
-[GMSx_GNSStreamProviderImpl outputStreamToBuffer:capacity:]
-[GMSx_GNSStreamProviderImpl outputStreamToMemory]
-[GMSx_CCTClearcutCounters initWithClock:]
-[GMSx_CCTClearcutLogEvent initWithLogSource:isAnonymous:clock:]
-[GMSx_CCTClearcutLogEvent initWithLogSource:isAnonymous:]
-[GMSx_CCTClearcutLogEvent initWithLogSource:]
@"%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x"
-[GMSx_PHTSnapshot emptyConfiguration:]
-[GMSx_PHTSnapshot isValidFlagsHashInSnapshot:]
-[GMSx_PHTURL sharedDirectoryWithError:]
-[_OBJC_CLASS_$_NSMutableArray init]
-[GMSx_PHTSnapshot emptyConfiguration:]
-[GMSx_PHTSnapshot isValidFlagsHashInSnapshot:]
-[GMSx_PHTURL sharedDirectoryWithError:]
-[_OBJC_CLASS_$_NSMutableArray init]
-[GMSx_PHTSnapshot emptyConfiguration:]
-[GMSx_PHTSnapshot isValidFlagsHashInSnapshot:]
-[GMSx_PHTURL sharedDirectoryWithError:]
-[_OBJC_CLASS_$_NSMutableArray init]
