Hi @RobtRoma
Thanks for your support of Codebook and for posting to the discussion forum.
Codebook currently uses HMAC-SHA1. While SHA1 has long been considered insecure, HMAC-SHA1 is actually still considered a secure construct. In the article you referenced, you will see a mention of this in the quoted tweet from Scott Arciszewski, i.e. “It’s time to stop using SHA1. (HMAC-SHA1 is still okay.)”. So right now there is no reason to be concered about Codebook’s security, even given the potential for chosen-prefix collision attacks against SHA1. That said, we are actively moving away from even using HMAC-SHA1 and the next version of Codebook (Codebook 4) will include SQLCipher 4, and use SHA512 by default. There are some further details about the security improvements of SQLCipher 4 here: https://www.zetetic.net/blog/2018/11/30/sqlcipher-400-release/
We plan on starting preliminary beta testing relatively soon. There’s a short beta signup form located here: https://www.zetetic.net/codebook/beta-signup/
Let me know if this addresses your questions.