hansemannn
commented
3 years ago This is correct! Will provide a quick fix.
Closed rushisaband closed 3 years ago
hansemannn
commented
3 years ago This is correct! Will provide a quick fix.
hansemannn
commented
3 years ago See #135 including a new binary 👍 And if you like the project, we'd love to see a contribution to keep the project security-proof in the future.
I recently conducted a Veracode security scan of an app using the Firebase cloud messaging module and it flagged a medium-risk security issue in TiFirebaseMessagingService.java. Not being an Android developer myself, I was unable to ascertain whether it's really an issue, or if a fix is required. The specific issue has to do with the use of Random() around line 173 - it's flagged as an "Insufficient Entropy" issue (details here). Again- I'm unsure exactly how this is being used in the code and whether it's an actual exploitable issue in this case, but I thought I should point it out in any case. Veracode describes it as follows:
Description Standard random number generators do not provide a sufficient amount of entropy when used for security purposes. Attackers can brute force the output of pseudorandom number generators such as rand(). Recommendations If this random number is used where security is a concern, such as generating a session identifier or cryptographic key, use a trusted cryptographic random number generator instead.