Skip to content

MASTG-DEMO-0008: Uses of Non-random Sources

Download MASTG-DEMO-0008 APK Open MASTG-DEMO-0008 Folder Build MASTG-DEMO-0008 APK

Sample

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
package org.owasp.mastestapp

import android.content.Context
import java.util.Calendar
import java.util.Date

class MastgTest (private val context: Context){

    fun mastgTest(): String {
        // SUMMARY: This sample demonstrates different ways of creating non-random tokens in Java.

        // FAIL: [android-insecure-random-use] The app uses Date().time for generating authentication tokens.
        val random1 = Date().time.toInt()

        val c = Calendar.getInstance()
        // FAIL: [android-insecure-random-use] The app uses Calendar.getInstance().timeInMillis for generating authentication tokens.
        val random2 = c.get(Calendar.MILLISECOND)

        return "Generated random numbers:\n$random1 \n$random2"
    }

}

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
package org.owasp.mastestapp;

import android.content.Context;
import java.util.Calendar;
import java.util.Date;
import kotlin.Metadata;
import kotlin.jvm.internal.Intrinsics;

/* compiled from: MastgTest.kt */
@Metadata(d1 = {"\u0000\u0018\n\u0002\u0018\u0002\n\u0002\u0010\u0000\n\u0000\n\u0002\u0018\u0002\n\u0002\b\u0002\n\u0002\u0010\u000e\n\u0000\b\u0007\u0018\u00002\u00020\u0001B\r\u0012\u0006\u0010\u0002\u001a\u00020\u0003¢\u0006\u0002\u0010\u0004J\u0006\u0010\u0005\u001a\u00020\u0006R\u000e\u0010\u0002\u001a\u00020\u0003X\u0082\u0004¢\u0006\u0002\n\u0000¨\u0006\u0007"}, d2 = {"Lorg/owasp/mastestapp/MastgTest;", "", "context", "Landroid/content/Context;", "(Landroid/content/Context;)V", "mastgTest", "", "app_debug"}, k = 1, mv = {1, 9, 0}, xi = 48)
/* loaded from: classes4.dex */
public final class MastgTest {
    public static final int $stable = 8;
    private final Context context;

    public MastgTest(Context context) {
        Intrinsics.checkNotNullParameter(context, "context");
        this.context = context;
    }

    public final String mastgTest() {
        int random1 = (int) new Date().getTime();
        Calendar c = Calendar.getInstance();
        int random2 = c.get(14);
        return "Generated random numbers:\n" + random1 + " \n" + random2;
    }
}

Steps

Let's run our semgrep rule against the sample code.

../../../../rules/mastg-android-non-random-use.yml
 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
rules:
  - id: mastg-android-non-random-use
    severity: WARNING
    languages:
      - java
    metadata:
      summary: This rule looks for common patterns including classes and methods that represent non-random sources e.g. via `Calendar.MILLISECOND` or `new Date()`.
      original_source: https://github.com/mindedsecurity/semgrep-rules-android-security/blob/main/rules/crypto/mstg-crypto-6.yaml
    message: "[MASVS-CRYPTO-1] The application makes use of non-random sources."
    pattern-either:
        - patterns:
            - pattern-inside: $M(...){ ... }
            - pattern-either:
                - pattern: new Date()
                - pattern: System.currentTimeMillis()
                - pattern: (Calendar $C).get(...)
run.sh
1
NO_COLOR=true semgrep -c ../../../../rules/mastg-android-non-random-use.yml ./MastgTest_reversed.java --text -o output.txt

Observation

The rule has identified some instances in the code file where an non-random source is used. The specified line numbers can be located in the original code for further investigation and remediation.

output.txt
 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
┌─────────────────┐
 2 Code Findings 
└─────────────────┘

    MastgTest_reversed.java 
       rules.mastg-android-non-random-use                                  
          [MASVS-CRYPTO-1] The application makes use of non-random sources.

           22 int random1 = (int) new Date().getTime();
            ⋮┆----------------------------------------
           24 int random2 = c.get(14);

Evaluation

Review each of the reported instances.