search

facebookarchive / stetho

Stetho is a debug bridge for Android applications, enabling the powerful Chrome Developer Tools and much more.
http://facebook.github.io/stetho/
MIT License
12.66k stars 1.13k forks source link

Usage of weak crypto algorithms like SHA-1 in Stetho #708

Open nidhi88 opened 2 years ago

nidhi88 commented 2 years ago

Summary

Our Penetration testing team has identified usage of weak crypto algorithms like SHA-1 in Stetho and logged security vulnerability. What are the plans to migrate to the latest crypto algorithms? Can you please migrate to the latest crypto algorithms to mitigate this?

Recommendation: Utilize cryptographic hashing algorithms that are considered secure and advocated for in best practice recommendations. Guidance can be found for Android For more guidance on best practices in picking strong cryptography, please see OWASP's Cryptographic Storage Cheat Sheet.

Motivations

Security Vulnerability.

nidhi88 commented 1 year ago

Hi @jasta

Can you please help check this??

below function from WebSocketHandler in package com.facebook.stetho.websocket uses SHA1 which is considered a weak crypto algorigthm.

private static String generateServerKey(String clientKey) {
    try {
      String serverKey = clientKey + SERVER_KEY_GUID;
      MessageDigest sha1 = MessageDigest.getInstance("SHA-1");
      sha1.update(Utf8Charset.encodeUTF8(serverKey));
      return Base64.encodeToString(sha1.digest(), Base64.NO_WRAP);
    } catch (NoSuchAlgorithmException e) {
      throw new RuntimeException(e);
    }
  }