Replace MD5 hash function with a non-broken one in Checksum.java

matomo-org / matomo-sdk-android

SDK for Android to measure your apps with Matomo. Works on Android phones, tablets, Fire TV sticks, and more!

BSD 3-Clause "New" or "Revised" License

387 stars 163 forks source link

Replace MD5 hash function with a non-broken one in Checksum.java #341

Open kypeli opened 1 year ago

kypeli commented 1 year ago

MD5 is considered a broken cryptographic hash function. Please use some other hash function instead, like SHA-1 or SHA-2.

MD5 is used in this file https://github.com/matomo-org/matomo-sdk-android/blob/master/tracker/src/main/java/org/matomo/sdk/tools/Checksum.java

d4rken commented 1 year ago

The SDK does not use the checksum to secure any secrets. It's purely an identifier for for the APK file. For this use-case it only matters that it is fast, and collisions are reasonably rare, while old, MD5 still fulfills that :beers:.

I don't see any benefit in changing it, it would also break the existing statistics data for everyone that updates. I'd argue that this is working as intended. Thoughts @hannesa2 ?

hannesa2 commented 1 year ago

It's purely an identifier for for the APK file.

As long as it's not a real security issue, all is fine. Sure, I would not say, it will never done. I see this as an open source project, where everyone is warmly welcome to improve it with pull requests.