Open kypeli opened 1 year ago
The SDK does not use the checksum to secure any secrets. It's purely an identifier for for the APK file. For this use-case it only matters that it is fast, and collisions are reasonably rare, while old, MD5 still fulfills that :beers:.
I don't see any benefit in changing it, it would also break the existing statistics data for everyone that updates. I'd argue that this is working as intended. Thoughts @hannesa2 ?
It's purely an identifier for for the APK file.
As long as it's not a real security issue, all is fine. Sure, I would not say, it will never done. I see this as an open source project, where everyone is warmly welcome to improve it with pull requests.
MD5 is considered a broken cryptographic hash function. Please use some other hash function instead, like SHA-1 or SHA-2.
MD5 is used in this file https://github.com/matomo-org/matomo-sdk-android/blob/master/tracker/src/main/java/org/matomo/sdk/tools/Checksum.java