CC_MD5 is deprecated (in addition to being broken)

[jonthanon]

Description

CC_MD5 is used in RCTUtils' function RCTMD5Hash(NSString *string) (here), which is used in RCTAsyncLocalStorage.mm and RNCAsyncStorage.m to get a file name. My company's security team has requested we remove all use of MD5, regardless of whether it's used for cryptographic purposes or called by our code. In addition to being cryptographically insecure (though that isn't relevant here since it doesn't seem to be used for cryptographic purposes), CC_MD5 was deprecated by Apple in iOS 13.

React Native version:

0.63.2 (based on running npx react-native info at the time of opening this issue)

Steps To Reproduce

1. Follow the React Native CLI Quickstart version of the Setting up the development environment documentation.
2. In Step 2 of "Running your React Native application", open Xcode instead of using run-ios.
3. Change the iOS Deployment Target for React-Core to iOS 13.0 (or higher).
4. Build.

Expected Results

You shouldn't get any warnings, but for the scope of this issue, you shouldn't get any warnings about CC_MD5 being deprecated.

Snack, code example, screenshot, or link to a repository:

Here's the resulting error you'll get in the issue navigator on the left.

/Code/AwesomeProject/AwesomeProject/node_modules/react-native/React/Base/RCTUtils.m:224:3: 'CC_MD5' is deprecated: first deprecated in iOS 13.0 - This function is cryptographically broken and should not be used in security contexts. Clients should migrate to SHA256 (or stronger).

[safaiyeh]

Hi @jonthanon some history for this.

RCTAsyncLocalStorage eventually became the community module async-storage as part of the Lean Core efforts; however, the module stayed in React Native core as Facebook has a dependency on it and needs to migrate out of it internally.
cc @cpojer for updates on that.

There are two options that could be taken
• Migrate out of the CC_MD5 deprecation
• Maintain a fork of React Native and removing AsyncLocalStorage until React Native core can fully remove it

Second option will help you out a bit quicker to resolve your security concerns.

[cpojer]

Unfortunately we haven't gotten around to cleaning up the repo yet. How did the open source version of async storage deal with the same issue? Can we backport the fix for now?

[safaiyeh]

@cpojer It looks like async-storage also depends on the RCTMD5Hash https://github.com/react-native-community/async-storage/blob/af2664e5334175a180d71e22fe10e184904d63ff/ios/RNCAsyncStorage.m#L365

I'll file an issue with them and that should be back ported to core.

[jonthanon]

@safaiyeh Awesome, thanks for the info. I'll move my questions to the new community thread.

[stale]

Hey there, it looks like there has been no activity on this issue recently. Has the issue been fixed, or does it still require the community's attention? This issue may be closed if no further activity occurs. You may also label this issue as a "Discussion" or add it to the "Backlog" and I will leave it open. Thank you for your contributions.

[jonthanon]

Nope, still repros in 0.63.4. See also react-native-async-storage/async-storage#415, which is linked above and is where the initial fix is (theoretically) happening.

[github-actions]

This issue is stale because it has been open 180 days with no activity. Remove stale label or comment or this will be closed in 7 days.

[github-actions]

This issue was closed because it has been stalled for 7 days with no activity.