Description
We are getting some security issues and one of them is as per title.
The call to dataTaskWithRequest:completionHandler:() in FIRMessagingTokenDeleteOperation.m on line 81 initiates an SSL/TLS connection using the default pre-loaded system Certificate Authorities (CAs) that might enable attackers to intercept encrypted communications by performing man-in-the-middle (MiTM) attacks using certificates signed with compromised root CAs.
Recommendations:
There are several possible solutions to reduce the level of trust on pre-loaded system certificates including:
- Custom trust anchors: Use a custom keystore that only contains the certificates you want to trust.
- Certificate pinning: Trust the default certificates but verify and enforce that the one used by your backend server is present in the certificate chain. As an alternative, public keys can be pinned instead.
Same goes for fetch The call to dataTaskWithRequest:completionHandler:() in FIRMessagingTokenFetchOperation.m on line 113 initiates an SSL/TLS connection using the default pre-loaded system Certificate Authorities (CAs) that might enable attackers to intercept encrypted communications by performing man-in-the-middle (MiTM) attacks using certificates signed with compromised root CAs.
Is this something we need to worry about?