Join GitHub today
GitHub is home to over 40 million developers working together to host and review code, manage projects, and build software together.Sign up
Firebase uses insecure CC_SHA1 hash algorithm #4326
[READ] Step 1: Are you in the right place?
[REQUIRED] Step 2: Describe your environment
[REQUIRED] Step 3: Describe the problem
NSData *FIRInstanceIDSHA1(NSData *data)
uses insecure CC_SHA1 hashing algorithm, while Apple officially considers this algorithm insecure. They state in iOS 13 CryptoKit documentation:
"This hash algorithm isn't considered cryptographically secure, but is provided for backward compatibility with older services that require it. For new services, prefer one of the secure hashes, like SHA512."
Thank you for bringing to our attention. FIRInstanceIDSHA1 is NOT used for cryptographic purpose for any encryption or decryption. We use this hash method on a public key string to generate a random unique string for instanceID. Firebase does not use this hash method or this public/private key string for any encryption or decryption of our secret data.
We will kick out PR soon to clarify the naming of our method to avoid more confusions. Thanks!