htcgh
commented
3 years ago @binhuy Thank you for reaching out. I can confirm that the MD5 usage in Analytics is for producing checksums for non-cryptographic purposes and is not a security concern. Replacing all the MD5 usage with SHA256 won’t be trivial since a lot of the checksums are persisted for later comparison. Currently, there isn't an urgent need to make this switch.
binhuy
[REQUIRED] Step 1: Describe your environment
[REQUIRED] Step 2: Describe the problem
Using Time Profiler in XCode, we see that Firebase is using outdated, legacy or weak cryptographic functions or hashing algorithm MD5. This pose some security concern since an attacker may leverage known weakness in legacy cryptography to perform attacks against the apps processes.
Please refer to the screenshot for details.
Here WDFirebase is just a wrapper to Firebase.
Can we ask if Firebase team is being aware of this and whether you have any plan to fix it?