Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

CC_MD5 deprecation migration

See original GitHub issue

Current behavior

Currently Async Storage iOS relies on RCTMD5Hash which uses CC_MD5 to create a file hash https://github.com/react-native-community/async-storage/blob/af2664e5334175a180d71e22fe10e184904d63ff/ios/RNCAsyncStorage.m#L365

CC_MD5 was deprecated in iOS 13 due to not being cryptographically correct.

‘CC_MD5’ is deprecated: first deprecated in macOS 10.15 - This function is cryptographically broken and should not be used in security contexts. Clients should migrate to SHA256 (or stronger).

This initially brought up in React Native core, https://github.com/facebook/react-native/issues/29590

Expected behavior

Either migrate to a SHA256 encryption or use a cryptographically correct MD5 hash package.

I’m assuming a SHA256 encryption would be better as it won’t introduce a new dependency. This might be just a change in React Native core, unless it would be better for Async Storage to own that functionality.

I’ll make the PR for these, just want to confirm which direction is best to go.

Repro steps

Build React Native app with async-storage & targeting iOS 13.

‘CC_MD5’ is deprecated: first deprecated in macOS 10.15 - This function is cryptographically broken and should not be used in security contexts. Clients should migrate to SHA256 (or stronger).

Warning should show up.

Environment

Async Storage version: 1.11.0
React-Native version: 0.63
Platform tested: iOS
Logs/Error that are relevant: N/A

Issue Analytics

State:
Created 3 years ago
Comments:8 (1 by maintainers)

Top GitHub Comments

1reaction

krizzucommented, Aug 13, 2020

@safaiyeh Thanks for raising this up. Yes, we agreed that SHA256 is better, among those two. Because we’re changing the filenames used, we have to create a migration process too. Here’s how I see it:

On startup, check storage folder for current files. If no files, just create SHA256-based filename and continue as normal (because that means it’s fresh install). And scenario where there are files already in directory: If it’s one file, compare its name to generated SHA256. If it matches, continue as normal. Otherwise copy file with new SHA256 name. If there are multiple files, it means that previous scenario took place (one old MD5 and new SHA256). So just pick SHA256 file I don’t think there’d be a situation where more than 2 files would be present

1reaction

jonthanoncommented, Aug 12, 2020

Right, but the MD5 algorithm itself is compromised, regardless of the implementation. (Sorry, I think I’m communicating this poorly.) Either way, SHA256 sounds good!

Top Results From Across the Web

'CC_MD5' is deprecated: first deprecated in iOS 13.0

MD5 is deprecated because it's a flawed, insecure algorithm. If you can, avoid it. But if have to use MD5 because the algorithm...

What does CC_MD5's deprecation mean? - Apple Developer

To me, a deprecated warning is different than an insecure warning. If CC_MD5 had a warning that it was insecure, I could ignore...

Dominik Bucher on Twitter: "'CC_MD5' was deprecated in iOS ...

'CC_MD5' was deprecated in iOS 13.0: This function is cryptographically broken and should not be used in security contexts. Clients should migrate to...

CommonCrypto watchOS 5.3 to 6.0 API Differences

To, Deprecated, This function is cryptographically broken and should not be used in security contexts. Clients should migrate to SHA256 (or stronger).

[Solved]-Warning 'fileAttributesAtPath:traverseLink is deprecated

In most cases, when you get a report about a deprecated method, you look it up ... 'CC_MD5' is deprecated: first deprecated in...