Open nidhi88 opened 2 years ago
Hi @jasta
Can you please help check this??
below function from WebSocketHandler in package com.facebook.stetho.websocket uses SHA1 which is considered a weak crypto algorigthm.
private static String generateServerKey(String clientKey) {
try {
String serverKey = clientKey + SERVER_KEY_GUID;
MessageDigest sha1 = MessageDigest.getInstance("SHA-1");
sha1.update(Utf8Charset.encodeUTF8(serverKey));
return Base64.encodeToString(sha1.digest(), Base64.NO_WRAP);
} catch (NoSuchAlgorithmException e) {
throw new RuntimeException(e);
}
}
Summary
Our Penetration testing team has identified usage of weak crypto algorithms like SHA-1 in Stetho and logged security vulnerability. What are the plans to migrate to the latest crypto algorithms? Can you please migrate to the latest crypto algorithms to mitigate this?
Recommendation: Utilize cryptographic hashing algorithms that are considered secure and advocated for in best practice recommendations. Guidance can be found for Android For more guidance on best practices in picking strong cryptography, please see OWASP's Cryptographic Storage Cheat Sheet.
Motivations
Security Vulnerability.