Insecure SSL: Overly Broad Certificate Trust

[Shakihassan]

The call to dataTaskWithRequest:completionHandler:() in FIRInstanceIDTokenDeleteOperation.m on line 87 initiates an SSL/TLS connection using the default pre-loaded system Certificate Authorities (CAs) that might enable attackers to intercept encrypted communications by performing man-in-the-middle (MiTM) attacks using certificates signed with compromised root CAs.An SSL/TLS connection is created using the default pre-loaded system Certificate Authorities (CAs), that might enable attackers to intercept encrypted communications by performing man-in-the-middle (MiTM) attacks using certificates signed with compromised root CAs.

The call to dataTaskWithRequest:completionHandler:() in FIRInstanceIDTokenFetchOperation.m on line 120 initiates an SSL/TLS connection using the default pre-loaded system Certificate Authorities (CAs) that might enable attackers to intercept encrypted communications by performing man-in-the-middle (MiTM) attacks using certificates signed with compromised root CAs.An SSL/TLS connection is created using the default pre-loaded system Certificate Authorities (CAs), that might enable attackers to intercept encrypted communications by performing man-in-the-middle (MiTM) attacks using certificates signed with compromised root CAs.

Note : Reported by the Fortify on demand Team

[google-oss-bot]

I found a few problems with this issue:

• I couldn't figure out how to label this issue, so I've labeled it for a human to triage. Hang tight.
• This issue does not seem to follow the issue template. Make sure you provide all the required information.

[morganchen12]

Firebase doesn't currently allow for custom certificate pinning on iOS. If you would like to request this feature, please file a feature request.