SourceCodester Android Corona Virus Tracker App MD5 Cryptography Vulnerability

A vulnerability exists in the SourceCodester Android application "Corona Virus Tracker App India" version 1.0, which uses the outdated MD5 hashing algorithm for digest authentication. The `handleDigest()` function in `OkHttpClientWrapper.java` hashes credentials using `MessageDigest.getInstance("MD5")`. MD5 is known to be cryptographically broken, allowing for hash collisions, and making the authentication process susceptible to replay, spoofing, and brute-force attacks, potentially leading to unauthorized access.

Impact

The use of MD5 allows attackers to create inputs that generate the same hash, enabling replay attacks, spoofing of authentication tokens, brute-force cracking of passwords, and unauthorized access to the application.

Reproduction

The vulnerability can be reproduced by downloading the Corona Virus Tracker App India version 1.0 from SourceCodester. After installing the app, perform a static analysis using a tool like MobSF, which will reveal the use of MD5 in the authentication process. This analysis can be done by reversing the APK and inspecting the `OkHttpClientWrapper.java` file, where the `handleDigest()` function is located.

Remediation

Users are advised to update the authentication mechanism to use a secure hashing algorithm such as SHA-256 or SHA-3. For password hashing, consider using PBKDF2, bcrypt, or Argon2, ensuring proper salting and key-stretching to enhance security.