Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Improve documentation for or remove usage of SHA1 in Instance ID #4444

Closed
robimoltewhp opened this issue Dec 5, 2019 · 1 comment
Closed

Improve documentation for or remove usage of SHA1 in Instance ID #4444

robimoltewhp opened this issue Dec 5, 2019 · 1 comment
Assignees

Comments

@robimoltewhp
Copy link

@robimoltewhp robimoltewhp commented Dec 5, 2019

Hello,

I am using Veracode Tool for code static analysis
https://www.veracode.com
and I am facing one security issue on FirebaseCore component

  • Xcode version: 10.3
  • Firebase SDK version: 6.13.0
  • Firebase Component: Core

The issue says:

File - FIRInstanceIDCheckinService.m: 213

"Description: Standard random number generators do not provide a sufficient amount of entropy when used for security purposes. Attackers can brute force the output of pseudorandom number generators such as rand().
Remediation: If this random number is used where security is a concern, such as generating a session key or session identifier, use a trusted cryptographic random number generator instead. These can be found on the Windows platform in the CryptoAPI or in an open source library such as OpenSSL. In Java, use the SecureRandom object to ensure sufficient entropy."

@chliangGoogle

This comment has been minimized.

Copy link
Contributor

@chliangGoogle chliangGoogle commented Dec 5, 2019

Thanks for reaching out. So the code you pointed is used only for logging purposes, and there is no risk of impersonation or access to associated data and so using a non-cryptographically secure random number for this isn't a risk.

We are working on to removing logging_ID or better documenting this.

@morganchen12 morganchen12 changed the title Security issue - Veracode Improve documentation for or remove usage of SHA1 in Instance ID Dec 9, 2019
@firebase firebase locked and limited conversation to collaborators Jan 9, 2020
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Projects
None yet
5 participants
You can’t perform that action at this time.