Created 2 months ago

Active 2 months ago

Viewed 72 times

2 replies

Hello,

I am relatively new to mobile development and have worked on both hybrid and native apps for Android and iOS. Recently, I developed a mobile application for the banking sector, where security was a top priority.

To ensure the security of my application, I followed OWASP guidelines and implemented modern cryptographic algorithms. However, during the Vulnerability Assessment and Penetration Testing (VAPT), my app repeatedly failed due to the presence of weak cryptographic algorithms.

The issue is that some of the third-party libraries I integrated internally use outdated encryption algorithms such as CBC, MD5, and SHA-1. Despite my application itself adhering to strong security standards, the bundled libraries are flagged in the VAPT report, preventing the app from passing the security assessment.

I would appreciate any guidance on how to:

Identify and mitigate weak cryptographic algorithms within third-party libraries.
Replace or override insecure implementations in libraries when direct modification isn't possible.
Ensure that my app is compliant with security standards without completely removing necessary dependencies.

Any insights, best practices, or alternative approaches would be highly valuable. Thank you in advance for your help!

created Feb 8 at 7:39

Rahul.S

2 replies

Sorted by:

Gabe Sechan

I'm assuming that the libraries in question probably support those as an option for legacy purposes, rather than actually using them actively? If so, your big options would seem to be to compile the library without those options (effectively forking it), or to fix whatever process is generating your report to check for actually using those protocols rather than their mere existence in the code.

Honestly of those two I'd prefer the second- forking the codebase (even if they made it easy with command line switches to remove things from the output) is likely a bigger security risk than anything else, as we all know your org won't keep on top of updates.

Feb 10 at 6:18

Greg Burghardt

For #1, VAPT testing is honestly one way of doing that. Presumably that it is bit too late in the game. Try looking for static and dynamic code scanning tools. Many of them look for weak cryptographic algorithms and known vulnerabilities.

For #2, look for interfaces or abstract classes in those libraries that might provide a hook into the deeper lifecycle. Maybe you'll get lucky and you can write your own implementation that uses a stronger algorithm.

For #3, do the things I outlined to solve problems 1 and 2.

Feb 11 at 0:14, edited Feb 11 at 23:27

Share perspectives, advice, and insights

Use Discussions to engage in deeper dialogue, have opinion-based conversations, and exchange perspectives about a technical concept. See full Discussions guidelines.

Discussions is different than Q&A

Discussions exists separately from the traditional question-and-answer space. If you have a specific programming question, go to Stack Overflow Q&A to post your question.

Be welcoming and patient

All users are expected to treat one another with kindness and respect. Remember, everyone is here to learn, and sometimes while learning, people make mistakes. See code of conduct.

No resume or job listings

Discussions are not for sharing your resume or job listing.

Avoid self-promotion

If your post happens to be about your product or website, you must disclose your affiliation. See spam guidelines and best practices.

Collectives™ on Stack Overflow

Addressing Outdated Cryptographic Algorithms in Third-Party Libraries for VAPT Compliance

2 replies