Comments (4)
stewones
commented on August 15, 2024
can you please set up a reproducible example?
what security scan are you doing?
from fcm.
iosdroid
commented on August 15, 2024
In my app i scan the ipa file for the vulnerability test in the below Quixxi website with this plugin i get the below vulnerability issue. when i try without plugin the issue will gone.
Missing Certificate Pinning
Severity High
OWASP MASVS 5.4 L2
Filename
THREAT An app can further protect itself from communicating with a wrong recipient by a technique known as Certificate Pinning. The general concept is that the client is configured to know the certificate expected to be received from the server. If the certificate presented doesn't match with the assigned one then the client will prevent the session to start
RISK If the Certificate Pinning is not implemented, an attacker [MITM - Man In The Middle] can position himself between the client and the real server. If the Certificate Authority is victim of a fraud they can issue an valid certificate to a criminal. Or the user can be induced to add a new trusted certificate
authority. In this situation the handshake procedure for the client would occur with the attacker mimicking the server
This will cause a different public key to be sent to the client who - thinking to be have received it from the original server - will send back its pre-master secret to start the communication. The MITM will complete the hack sending the pre-master secret to the original server. At this point the client and server are connected in a just apparently-secure way because the MITM has the same pre-master key to decrypt the traffic between the two parties
from fcm.
stewones
commented on August 15, 2024
That's interesting.
any idea @dwieeb @priyankpat
from fcm.
jcesarmobile
commented on August 15, 2024
The plugin doesn't create any connection directly, all connections to the FCM servers are done through the FCM SDKs, so if there is a vulnerability it should be fixed by google, not by the plugin (other than keeping dependencies up to date).
So if you think it's a problem, you should report it to google.
As far as I know, firebase doesn't support SSL pinning
firebase/firebase-ios-sdk#6821
from fcm.
Related Issues (20)
- Can't delete instance after first performed HOT 1
- example app can't be built HOT 1
- How is deleteInstance is supposed to work HOT 7
- Conflicting peer dependency: @capacitor/[email protected] HOT 1
- Requested entity was not found on iOS device
- The refreshToken function returns the Firebase JWT session token instead of the FCM token HOT 1
- [help wanted] I am importing the Cannot use import statement outside a module issue HOT 4
- FCM plugin is not implemented on iOS HOT 1
- Document minimum Android SDK version and iOS build target HOT 1
- Upgrade to capacitor 5 HOT 1
- Notification not coming when App is killed in android.
- FCM.subscribeTo not working on iOS HOT 9
- refreshToken() returns old registration token on Android
- Crash app when receive a notification in background
- Type 'NSNotification.Name?' has no member 'capacitorDidRegisterForRemoteNotifications' (ios) HOT 2
- Not working as expected when using firebase-admin after subscribeTo() HOT 1
- Firebase Messaging statistics always shows "0"
- Enable Firebase Message Delivery Data Export to BigQuery
- Upgrade to capacitor 6 HOT 7
- Topic subscription not working after refreshing token
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from fcm.