google-oss-bot
commented
3 weeks ago I couldn't figure out how to label this issue, so I've labeled it for a human to triage. Hang tight.
Closed Yusei0205 closed 3 weeks ago
google-oss-bot
commented
3 weeks ago I couldn't figure out how to label this issue, so I've labeled it for a human to triage. Hang tight.
lehcar09
commented
3 weeks ago Hi @Yusei0205, thank you for reaching out. For context, the Firebase Installations service (FIS) is an infrastructure service for Firebase services, providing a targeting identifier (FIDs), client-authentication scheme (FIS auth tokens), and a centralized deletion flow that allows Firebase services to be GDPR and wipeout compliant.
FIS replaced Instance ID service (IID). FIS honors existing Instance IDs in order to not break Firebase Targeting. FIS makes sure that every Firebase Installation is targetable with exactly one Firebase identifier (Instance ID or FID).
In order to make sure that all Firebase services use the same identifier, all Firebase services have to effectively switch from IID to the new identity provider (FIS) at the same time. The Instance ID SDK v.20.1.0 was updated to depend on the FIS SDK for identifier creation.
As mentioned in the comment:
// FirebaseInstallations SDK uses the SHA1 hash for backwards compatibility with the legacy InstanceID SDK. // The SHA1 hash is used to access Instance IDs stored on the device and not for any security relevant process. // This is a one-time step that allows migration of old client identifiers. // Cryptographic security is not needed here so potential hash collisions are not a problem.
That said, if you were using Instance ID SDK v.20.1.0 and above, the step will not execute.
lehcar09
commented
3 weeks ago I'll go ahead and close this thread now. Let me know if there's any misunderstanding and/ or we need to re-open the issue for further investigation. Thanks!
Our app has identified usage of weak crypto algorithms like SHA1 in Firebase SDK in the security code scanning result performed by the penetration testing team, which can be vulnerable to various types of collision attacks, which can compromise the security of hashed data.
Recommendation from the report: Remove the weak hashes SHA-1 hashing algorithm. Technical Standards Reference https://github.com/MobSF/owasp-mstg/blob/master/Document/0x04g-Testing-Cryptography.md#identifying-insecure-andor-deprecated-cryptographic-algorithms-mstg-crypto-4
We have check that the usage of SHA1 is coming from the following path: com.google.firebase.installations.local.IidStore Based on the comment on the source code knowing that it is used for backward compatibility purpose however the security team has concern on this and there is no proper documentation stating that there are no security concerns regarding the use of weak SHA1.
Is there any version without the weak crypto algorithm and any workaround to remove or exclude it from the library? Also what is the min android version that do not require the SHA1 crypto algorithm for backward compatibility purpose?