[question]: Security Concern: Use of SHA1/MD5

[remithaunay]

How can we help?

Hello,

SHA1 and MD5 are considered weak cryptographic algorithms, and a recent penetration test revealed their use. Upon investigation, it appears they are used in the OneSignal-iOS-SDK.

Could you clarify how these algorithms are used and why their usage does not pose a security risk?

Thanks!

Code of Conduct

• I agree to follow this project's Code of Conduct

[nan-li]

Hi @remithaunay, can you share where the usages are that you are concerned about?

[remithaunay]

Hello, these are the usages

https://github.com/search?q=repo%3AOneSignal%2FOneSignal-iOS-SDK%20CC_SHA1&type=code
https://github.com/search?q=repo%3AOneSignal%2FOneSignal-iOS-SDK+CC_MD5&type=code

[nan-li]

Thanks for calling them out - they are leftover APIs in the SDK from the previous major version and are no longer used. We can remove them as they are now dead methods.

[nan-li]

Cleanup will be in the next release