SHA1 is a weak hash known to have hash collisions.

ID

objectivec.cryptography.ios_sha1_collision

Severity

low

Resource

Cryptography

Language

Objective-C

Description

SHA1 is a weak hash known to have hash collisions.

Rationale

SHA1 is a weak hash known to have hash collisions.

The following code illustrates a vulnerable pattern detected by this rule:

// Test cases for ios-sha1-collision rule

#import <Foundation/Foundation.h>
// VULNERABLE: SHA1 is a weak hash known to have hash collisions.
#import <CommonCrypto/CommonDigest.h>

// ============================================
// POSITIVE CASES (should trigger findings)
// ============================================

void badSHA1Hash() {
    const char *str = "password";
    unsigned char result[CC_SHA1_DIGEST_LENGTH];
    // VULNERABLE: SHA1 is a weak hash known to have hash collisions.
    CC_SHA1(str, (CC_LONG)strlen(str), result);
}

Remediation

Follow secure coding practices and review the references below for detailed remediation guidance.

Configuration

This detector does not need any configuration.

References