Usage of Weak Cryptographic Hashing Algorithms (MD5 / SHA-1) in Firebase Crashlytics #15340
Description
Description
Version of Mobile SDK Used: 11.1.0
Issue found in Native App or Hybrid App: Native IOS
OS Version: iOS
Xcode Version: 16
Device: iPhone
Our security team has identified that the Firebase SDK makes use of weak cryptographic hash algorithms, namely MD5 and/or SHA-1.
Risk:
-
Both MD5 and SHA-1 are considered cryptographically broken and unsuitable for use in modern applications.
-
Advances in cryptanalysis have exposed vulnerabilities that enable collision attacks, making it possible for attackers to impersonate data or compromise integrity.
-
NIST explicitly recommends against using SHA-1 for password hashing, digital signature generation/verification, and other security-critical operations.
Recommendation:
- Firebase Crashlytics should discontinue the use of weak hashing algorithms such as MD5 and SHA-1.
- Migration to stronger algorithms such as SHA-2 (e.g., SHA-256) or SHA-3 is recommended to ensure secure hashing and integrity verification.
Request:
Please confirm:
- Where MD5/SHA-1 are being used within the Firebase Crashlytics SDK (e.g., hashing crash reports, integrity verification, internal processing).
- If there are updated SDK versions that address this issue.
- If not, provide a timeline or roadmap for migration to stronger cryptographic algorithms.
Reproducing the issue
No response
Firebase SDK Version
11.1.0
Xcode Version
16
Installation Method
Swift Package Manager
Firebase Product(s)
Crashlytics
Targeted Platforms
iOS
Relevant Log Output
If using Swift Package Manager, the project's Package.resolved
Expand Package.resolved snippet
Replace this line with the contents of your Package.resolved.
If using CocoaPods, the project's Podfile.lock
Expand Podfile.lock snippet
Replace this line with the contents of your Podfile.lock!