Test: Insecure Random API Usage
BETA
This is a beta version of the MASWE (Mobile Application Security Weakness Enumeration). The content is still under development and may change in terms of structure, IDs and content. Your feedback and questions are welcome! Please post them to MASWE Feedback.
Overview¶
Android apps sometimes use insecure pseudorandom number generators (PRNGs) such as java.util.Random
, which is essentially a linear congruential generator. This type of PRNG generates a predictable sequence of numbers for any given seed value, making the sequence reproducible and insecure for cryptographic use. In particular, java.util.Random
and Math.random()
(the latter simply calling nextDouble()
on a static java.util.Random
instance) produce identical number sequences when initialized with the same seed across all Java implementations.
Steps¶
- Run a static analysis tool on the app and look for insecure random APIs.
Observation¶
The output should contain a list of locations where insecure random APIs are used.
Evaluation¶
The test case fails if you can find random numbers generated using those APIs that are used in security-relevant contexts.