I am integrating Appsweep on my Application. While building the application and put it in Appsweep for testing I found Insecure hashing algorithm SHA1 used which shows from com.google.firebase.installations.local.IidStore,
I added below code in proguard rules file, but its not working for me. How can I fix this issue
# obfuscate the classes in all internal packages.
-keep public class !**.internal.**, com.google.** {
public protected *;
}
# We can repackage all obfuscated classes in a new internal package.
-repackageclasses com.google.internal
In cases like this where you have findings in libraries that you don't think are relevant, what you could do is either suppress it (clicking on the "crossed out eye" icon in the top right corner of the finding card will allow you to do so) or you can also filter AppSweep's build overview to only show you findings in your own code. Changing your DexGuard rules won't automatically suppress findings in AppSweep, since they are different products.
To do this, click on the "Internal or All dependencies" element next to "Origin" and in the resulting popup only select "Internal":
A general issue though, specifically for hashing algorithm usage in libraries, is that it is very hard to say whether they are false positive findings. If e.g. SHA-1 is used in a context like file hashing, where cryptographic properties of the hash function are of no concern, it could indeed be okay to use it. However, the initial purpose of SHA-1 explicitly was to be a cryptographically secure hash function. So since this property is not guaranteed anymore, using it will always be an issue, unless you are really sure it is not a cryptographically relevant one. Determining that automatically is pretty hard, so scanning tools might want to err on the side of caution here, to make users manually and carefully double check their specific use case.
My suggestion here would actually be that in cases where you are the one who controls what algorithm is being used, you should look into using hash functions that are explicitly non-cryptographic when dealing with tasks like file hashing. xxHash for example is a good choice here that you may want to check out.
If you would like to ask any more questions or just want to talk, also feel free to use the chat function inside AppSweep itself, in the lower right corner of the browser window!