You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
I am using Veracode Tool for code static analysis https://www.veracode.com
and I am facing one security issue on FirebaseCore component
Xcode version: 10.3
Firebase SDK version: 6.13.0
Firebase Component: Core
The issue says:
File - FIRInstanceIDCheckinService.m: 213
"Description: Standard random number generators do not provide a sufficient amount of entropy when used for security purposes. Attackers can brute force the output of pseudorandom number generators such as rand().
Remediation: If this random number is used where security is a concern, such as generating a session key or session identifier, use a trusted cryptographic random number generator instead. These can be found on the Windows platform in the CryptoAPI or in an open source library such as OpenSSL. In Java, use the SecureRandom object to ensure sufficient entropy."
The text was updated successfully, but these errors were encountered:
Thanks for reaching out. So the code you pointed is used only for logging purposes, and there is no risk of impersonation or access to associated data and so using a non-cryptographically secure random number for this isn't a risk.
We are working on to removing logging_ID or better documenting this.
morganchen12
changed the title
Security issue - Veracode
Improve documentation for or remove usage of SHA1 in Instance ID
Dec 9, 2019
Hello,
I am using Veracode Tool for code static analysis
https://www.veracode.com
and I am facing one security issue on FirebaseCore component
The issue says:
File - FIRInstanceIDCheckinService.m: 213
"Description: Standard random number generators do not provide a sufficient amount of entropy when used for security purposes. Attackers can brute force the output of pseudorandom number generators such as rand().
Remediation: If this random number is used where security is a concern, such as generating a session key or session identifier, use a trusted cryptographic random number generator instead. These can be found on the Windows platform in the CryptoAPI or in an open source library such as OpenSSL. In Java, use the SecureRandom object to ensure sufficient entropy."
The text was updated successfully, but these errors were encountered: