Hi team,
I used ArcGIS SDK in my application. After auditing of my application they found few security issue.
1. Use of a Broken Risky Cryptographic Algorithm. ->
com/esri/arcgisruntime/internal/apachehttp/client5/http/impl/auth/k.java
Description :
The use of a broken risky cryptographic algorithm is an unnecessary risk that may result
in the disclosure of sensitive information. The use of a non-standard algorithm is
dangerous because a determined attacker may be able to break the
algorithm compromise whatever data has been protected. Well-known techniques may
exist to break the algorithm.
Impact :
The use of a non-standard algorithm is dangerous because a determined attacker may
be able to break the algorithm compromise whatever data has been protected. Well-known techniques may exist to break the algorithm.
2. Insecure WebView Implementation. -> com/esri/arcgisruntime/security/DefaultOAuthIntentReceiver.java
Description :
WebView ignores SSL Certificate errors accept any SSL Certificate.
Impact :
Insecure WebView Implementation leads to MITM attacks
I had below android implementation version.
implementation 'com.esri.arcgisruntime:arcgis-android:100.15.4'
Please check the attached images for your reference.
Kindly suggest me to what are the necessary steps or process to fix this audit issues.
Thank You,
Jyoshna
Hi, best report your issue here: Report a Security or Privacy Concern | ArcGIS Trust Center | Documentation