Hi All, a security review has found that our Meteor 2.7.3 app is using the deprecated AES128ECB algorithm on iOS. We’re not explicitly making the call in any of our code and a minimalist Meteor app is also showing the same behaviour.
A jailbroken iPhone with security tools is reporting that the app is calling the kCCEncrypt operation with the kCCAlgorithmAES128 in kCCOptionalECBMode. This is part of the older Objective-C CommonCrypto library. The call seems to be originating in the cordova-plugin-meteor-webapp when the swift AssetBundleManager checks for updates via the checkForUpdtaesWithBaseURL function.
We’d like to use a more secure algorithm but at the moment we don’t actually have an idea of why it’s being used or where it’s actually being called from. Any suggestions appreciated.
Have you tested it against the latest Meteor version? If I recall there have been some Cordova updates in one of the recent versions.
Might be also worth testing against this PR:
The security reviewer has just confirmed that AES128ECB call is still present in a Meteor 2.13 build. Anyone have any thoughts on where it might be called form and/or what’s being encrypted?
With some help from the Apple Developer Forum I was able to add a breakpoint on the crypto function and determine that the call is kicked off when the cordova-plugin-meteor-webapp uses a Swift URLSession.dataTask to retrieve the JSON manifest. The same behaviour can be replicated by adding a dataTask to a “Hello World” iOS app so the call is part of iOS itself and not a Meteor issue.