Hi All, a security review has found that our Meteor 2.7.3 app is using the deprecated AES128ECB algorithm on iOS. We’re not explicitly making the call in any of our code and a minimalist Meteor app is also showing the same behaviour.
A jailbroken iPhone with security tools is reporting that the app is calling the kCCEncrypt operation with the kCCAlgorithmAES128 in kCCOptionalECBMode. This is part of the older Objective-C CommonCrypto library. The call seems to be originating in the cordova-plugin-meteor-webapp when the swift AssetBundleManager checks for updates via the checkForUpdtaesWithBaseURL function.
We’d like to use a more secure algorithm but at the moment we don’t actually have an idea of why it’s being used or where it’s actually being called from. Any suggestions appreciated.
With some help from the Apple Developer Forum I was able to add a breakpoint on the crypto function and determine that the call is kicked off when the cordova-plugin-meteor-webapp uses a Swift URLSession.dataTask to retrieve the JSON manifest. The same behaviour can be replicated by adding a dataTask to a “Hello World” iOS app so the call is part of iOS itself and not a Meteor issue.