Join GitHub today
GitHub is home to over 40 million developers working together to host and review code, manage projects, and build software together.Sign up
Improve documentation for or remove usage of SHA1 in Instance ID #4444
I am using Veracode Tool for code static analysis
The issue says:
File - FIRInstanceIDCheckinService.m: 213
"Description: Standard random number generators do not provide a sufficient amount of entropy when used for security purposes. Attackers can brute force the output of pseudorandom number generators such as rand().
Thanks for reaching out. So the code you pointed is used only for logging purposes, and there is no risk of impersonation or access to associated data and so using a non-cryptographically secure random number for this isn't a risk.
We are working on to removing logging_ID or better documenting this.