sdhuka
commented
1 year ago Hello @Andrew0000
Thank you for your patience while we investigated your reported concerns. While the SHA1PRNG algorithm’s usage in AWS Android SDK for the Cognito SRP flow is secure, we have created a pull request to replace the SHA1PRNG algorithm with an alternative algorithm available on the Android OS. This is now available in AWS SDK for Android v2.71.0. The SHA1 algorithm is considered weak because it is not collision-resistant. However, collision-resistance is not the property being relied on in the context in which it is being used by AWS Android SDK, which is pseudorandom bit generation.
Which AWS Services is the feature request for? Cognito + AWS SDK for Android
Is your feature request related to a problem? Please describe. SHA1PRNG is not secure. It's described in the documentation: https://developer.android.com/reference/java/security/SecureRandom In real world it's a reason of PCI DSS warning for someone who uses your SDK in a financial application.
Describe the solution you'd like Try to use SecureRandom.getInstanceStrong() or securerandom.strongAlgorithms Documentation: https://developer.android.com/reference/java/security/SecureRandom#getInstanceStrong()