zcash-android-wallet-sdk [SDK audit] Recommendation: Use SHA256 instead of SHA1 for parameter file integrity checks

[SDK audit] Recommendation: Use SHA256 instead of SHA1 for parameter file integrity checks

Open HonzaR opened this issue 10 months ago • 0 comments

Is your feature request related to a problem? Please describe.

The SDK uses the SHA1 to check that the correct parameter files have been downloaded. SHA1 is vulnerable to collision attacks, so it should be replaced with SHA256 or another secure hash function. This is not a security risk, since SHA1 is still secure against second-preimage attacks (which is what would be needed to get the wallet to accept bad parameter files), nevertheless SHA1 should still be avoided.

Describe the solution you'd like

Check and refactor File.getSha1Hash(): String API

Alternatives you've considered

Additional context

Apr 23 '24 12:04 HonzaR

zcash-android-wallet-sdk zcash-android-wallet-sdk copied to clipboard

[SDK audit] Recommendation: Use SHA256 instead of SHA1 for parameter file integrity checks

Is your feature request related to a problem? Please describe.

Describe the solution you'd like

Alternatives you've considered

Additional context

zcash-android-wallet-sdk
zcash-android-wallet-sdk copied to clipboard