Closed devsideal closed 2 weeks ago
I found a few problems with this issue:
Drive-by comment: Firestore does indeed use MD5, but not in a security context:
This code is part of the algorithm that keeps Firestore's local cache in sync with the server. This is not a security context. The warning about using an insecure hash algorithm can be safely ignored. We chose MD5 over a cryptographically-secure hashing algorithm because the performance of MD5 was measured to be significantly better and security was not needed for this particular hash.
Thanks @dconeybe for the clarification, What's about the other issues?
I've added the "auth" tag so someone with auth expertise can comment.
firebase-messaging is using that value as an identifier for deduplication, not security, so there shouldn't be a security issue using SHA-1.
This issue is referred from: https://github.com/firebase/flutterfire/issues/13053
Getting some security issues when scanning by
appsweep
with below packages:cloud_firestore: ^5.0.1
showing Insecure hashing algorithm MD5 used with below findings:firebase_auth: ^5.1.0
showing Insecure hashing algorithm SHA1 used with below findings:firebase_messaging: ^15.0.1
showing Insecure hashing algorithm SHA-1 used with below findings:STR:
Flutter version is: 3.22.2