SHA-1 usaged flagged as a security risk

[woxblom]

We just had a security penetration review of our app and SHA-1 usage in mixpanel was flagged as a security risk.

CWE-327 Use of a Broken or Risky Cryptographic Algorithm

com.mixpanel.android.util.ImageStore

public ImageStore(Context context, String directoryName, RemoteService poster) {
        mDirectory = context.getDir(directoryName, Context.MODE_PRIVATE);
        mPoster = poster;
        mConfig = MPConfig.getInstance(context);
        MessageDigest useDigest;
        try {
            useDigest = MessageDigest.getInstance("SHA1"); <-------
        } catch (NoSuchAlgorithmException e) {
            MPLog.w(LOGTAG, "Images won't be stored because this platform doesn't supply a SHA1 hash function");
            useDigest = null;
        }

com.mixpanel.android.java_websocket.drafts.Draft_10

private String generateFinalKey( String in ) {
		String seckey = in.trim();
		String acc = seckey + "258EAFA5-E914-47DA-95CA-C5AB0DC85B11";
		MessageDigest sh1;
		try {
			sh1 = MessageDigest.getInstance( "SHA1" ); <------
		} catch ( NoSuchAlgorithmException e ) {
			throw new RuntimeException( e );
		}
		return Base64.encodeBytes( sh1.digest( acc.getBytes() ) );
	}

Is this code used? If it is can this be changed to something like SHA-256 instead?
https://github.com/MobSF/owasp-mstg/blob/master/Document/0x04g-Testing-Cryptography.md#identifying-insecure-andor-deprecated-cryptographic-algorithms-mstg-crypto-4

[zihejia]

hi @woxblom , if you don't use Mixpanel for messaging or A/B testing(M&E), you can use our latest beta version without M&E instead.
https://github.com/mixpanel/mixpanel-android/releases/tag/v6.0.0-beta1.

Since M&E is deprecated, we will not likely change the code, unfortunately. Sorry for the incovenience.