Cryptographic APIs misuses in Volley on Android

[misterAnderson90]

I'm a PhD student interested in finding security vulnerabilities in open source projects.

We found a total of 01 warnings (indicating potential vulnerabilities) when running the CogniCrypt static analyzer (*) on hwloc (or its library dependencies). We documented each one of these issues in private gists for the sake of confidentiality (non-disclosure).

Can you please let us know whether we can share these gists with you? We are eager to evaluate the perception of developers (e.g. severity of these warnings) and improve hwloc's security, and the quality of the reports of static analysis tools.

(*) https://github.com/CROSSINGTUD/CryptoAnalysis

[bgoglin]

Hello. Yes please share them with me. When you say "01 warnings", you really mean "1" ? Or did you forget a digit ?

[misterAnderson90]

Hello @bgoglin,

Sorry for taking so long for sending you the gist. The warning reported is related to the library Volley used by your app.

Gist 01 - MessageDigest

How do you perceive the importance of a tool like this?

[bgoglin]

Hello. So you're talking about the Android app, I thought you were talking about the main C project. @vhoyet Do you have an opinion about what to do about this?

[vhoyet]

Hello, the warning seems hard to locate. I can't find any direct use of com.android.volley.InternalUtils in the app. It might be used internally by other methods from com.android.volley, maybe it should be pointed to android developpers then, since these methods don't raise any warning ?

I guess if we can locate it, it should be enough to encode the parameter to any of {SHA-256, SHA-384, SHA-512}.