Skip to content

CC_MD5 is deprecated (in addition to being broken) #29590

@jonthanon

Description

@jonthanon

Description

CC_MD5 is used in RCTUtils' function RCTMD5Hash(NSString *string) (here), which is used in RCTAsyncLocalStorage.mm and RNCAsyncStorage.m to get a file name. My company's security team has requested we remove all use of MD5, regardless of whether it's used for cryptographic purposes or called by our code. In addition to being cryptographically insecure (though that isn't relevant here since it doesn't seem to be used for cryptographic purposes), CC_MD5 was deprecated by Apple in iOS 13.

React Native version:

0.63.2 (based on running npx react-native info at the time of opening this issue)

Steps To Reproduce

  1. Follow the React Native CLI Quickstart version of the Setting up the development environment documentation.
  2. In Step 2 of "Running your React Native application", open Xcode instead of using run-ios.
  3. Change the iOS Deployment Target for React-Core to iOS 13.0 (or higher).
  4. Build.

Expected Results

You shouldn't get any warnings, but for the scope of this issue, you shouldn't get any warnings about CC_MD5 being deprecated.

Snack, code example, screenshot, or link to a repository:

Here's the resulting error you'll get in the issue navigator on the left.

/Code/AwesomeProject/AwesomeProject/node_modules/react-native/React/Base/RCTUtils.m:224:3: 'CC_MD5' is deprecated: first deprecated in iOS 13.0 - This function is cryptographically broken and should not be used in security contexts. Clients should migrate to SHA256 (or stronger).

Metadata

Metadata

Assignees

No one assigned

    Labels

    Impact: SecurityIf the issue is causes a vulnerabilityPlatform: iOSiOS applications.StaleThere has been a lack of activity on this issue and it may be closed soon.Type: Security

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions