Location via proxy:   [ UP ]  
[Report a bug]   [Manage cookies]                
Skip to content
Platform
android

Test: Insecure Random API Usage

BETA

This is a beta version of the MASWE (Mobile Application Security Weakness Enumeration). The content is still under development and may change in terms of structure, IDs and content. Your feedback and questions are welcome! Please post them to MASWE Feedback.

Overview

Android apps sometimes use insecure pseudorandom number generators (PRNGs) such as java.util.Random, which is essentially a linear congruential generator. This type of PRNG generates a predictable sequence of numbers for any given seed value, making the sequence reproducible and insecure for cryptographic use. In particular, java.util.Random and Math.random() (the latter simply calling nextDouble() on a static java.util.Random instance) produce identical number sequences when initialized with the same seed across all Java implementations.

Steps

  1. Run a static analysis tool on the app and look for insecure random APIs.

Observation

The output should contain a list of locations where insecure random APIs are used.

Evaluation

The test case fails if you can find random numbers generated using those APIs that are used in security-relevant contexts.

© OWASP Foundation 2024. This work is licensed under CC-BY-4.0. For any reuse or distribution, you must make clear to others the license terms of this work.
OWASP ® is a registered trademark of the OWASP Foundation, Inc. This website uses cookies to analyze our traffic and only share that information with our analytics partners. Learn more.
Made with Material for MkDocs | Website and covers designed by Carlos Holguera.