Usage of weak crypto algorithms like SHA-1 in Stetho

[nidhi88]

Summary

Our Penetration testing team has identified usage of weak crypto algorithms like SHA-1 in Stetho and logged security vulnerability. What are the plans to migrate to the latest crypto algorithms? Can you please migrate to the latest crypto algorithms to mitigate this?

Recommendation:
Utilize cryptographic hashing algorithms that are considered secure and advocated for in best practice recommendations. Guidance can be found for Android For more guidance on best practices in picking strong cryptography, please see OWASP's Cryptographic Storage Cheat Sheet.

Motivations

Security Vulnerability.

[nidhi88]

Hi @jasta

Can you please help check this??

below function from WebSocketHandler in package com.facebook.stetho.websocket uses SHA1 which is considered a weak crypto algorigthm.

private static String generateServerKey(String clientKey) {
    try {
      String serverKey = clientKey + SERVER_KEY_GUID;
      MessageDigest sha1 = MessageDigest.getInstance("SHA-1");
      sha1.update(Utf8Charset.encodeUTF8(serverKey));
      return Base64.encodeToString(sha1.digest(), Base64.NO_WRAP);
    } catch (NoSuchAlgorithmException e) {
      throw new RuntimeException(e);
    }
  }