We read every piece of feedback, and take your input very seriously.
To see all available qualifiers, see our documentation.
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
We just had a security penetration review of our app and SHA-1 usage in mixpanel was flagged as a security risk.
CWE-327 Use of a Broken or Risky Cryptographic Algorithm
com.mixpanel.android.util.ImageStore
public ImageStore(Context context, String directoryName, RemoteService poster) { mDirectory = context.getDir(directoryName, Context.MODE_PRIVATE); mPoster = poster; mConfig = MPConfig.getInstance(context); MessageDigest useDigest; try { useDigest = MessageDigest.getInstance("SHA1"); <------- } catch (NoSuchAlgorithmException e) { MPLog.w(LOGTAG, "Images won't be stored because this platform doesn't supply a SHA1 hash function"); useDigest = null; }
com.mixpanel.android.java_websocket.drafts.Draft_10
private String generateFinalKey( String in ) { String seckey = in.trim(); String acc = seckey + "258EAFA5-E914-47DA-95CA-C5AB0DC85B11"; MessageDigest sh1; try { sh1 = MessageDigest.getInstance( "SHA1" ); <------ } catch ( NoSuchAlgorithmException e ) { throw new RuntimeException( e ); } return Base64.encodeBytes( sh1.digest( acc.getBytes() ) ); }
Is this code used? If it is can this be changed to something like SHA-256 instead? https://github.com/MobSF/owasp-mstg/blob/master/Document/0x04g-Testing-Cryptography.md#identifying-insecure-andor-deprecated-cryptographic-algorithms-mstg-crypto-4
The text was updated successfully, but these errors were encountered:
hi @woxblom , if you don't use Mixpanel for messaging or A/B testing(M&E), you can use our latest beta version without M&E instead. https://github.com/mixpanel/mixpanel-android/releases/tag/v6.0.0-beta1.
Since M&E is deprecated, we will not likely change the code, unfortunately. Sorry for the incovenience.
Sorry, something went wrong.
No branches or pull requests
We just had a security penetration review of our app and SHA-1 usage in mixpanel was flagged as a security risk.
CWE-327 Use of a Broken or Risky Cryptographic Algorithm
com.mixpanel.android.util.ImageStore
com.mixpanel.android.java_websocket.drafts.Draft_10
Is this code used? If it is can this be changed to something like SHA-256 instead?
https://github.com/MobSF/owasp-mstg/blob/master/Document/0x04g-Testing-Cryptography.md#identifying-insecure-andor-deprecated-cryptographic-algorithms-mstg-crypto-4
The text was updated successfully, but these errors were encountered: