MASTG-BEST-0001: Use Secure Random Number Generator APIs
Content in BETA
This content is in beta and still under active development, so it is subject to change any time (e.g. structure, IDs, content, URLs, etc.).
Use a cryptographically secure pseudorandom number generator as provided by the platform or programming language you are using.
Java/Kotlin¶
Use java.security.SecureRandom
, which complies with the statistical random number generator tests specified in FIPS 140-2, Security Requirements for Cryptographic Modules, section 4.9.1 and meets the cryptographic strength requirements described in RFC 4086: Randomness Requirements for Security. It produces non-deterministic output and automatically seeds itself during object initialization using system entropy, so manual seeding is generally unnecessary and can weaken randomness if not done properly.
The default (no-argument) constructor of SecureRandom
is recommended, as it uses the system-provided seed of appropriate length to ensure high entropy. Providing a seed (hardcoded or otherwise) to the constructor is discouraged in the Android Documentation, because it risks creating deterministic output and undermining security.
Although the documentation says the provided seed normally supplements the existing seed, this behavior may differ if an old security provider is used. To avoid these pitfalls, ensure your app targets a modern Android version with an updated provider or explicitly configures a secure provider such as AndroidOpenSSL (or Conscrypt in newer releases).
Other Languages¶
Consult the standard library or framework documentation to find the API that exposes the operating system's cryptographically secure pseudorandom number generator. This is usually the safest approach, provided there are no known vulnerabilities in that library's random number generation. For example, see the Flutter/Dart issue as a reminder that some frameworks may have known weaknesses in their PRNG implementations.
Tests¶
MASTG-TEST-0204: Insecure Random API Usage MASTG-TEST-0205: Non-random Sources Usage