packageorg.owasp.mastestappimportandroid.content.Contextimportjava.util.Calendarimportjava.util.DateclassMastgTest(privatevalcontext:Context){funmastgTest():String{// SUMMARY: This sample demonstrates different ways of creating non-random tokens in Java.// FAIL: [android-insecure-random-use] The app uses Date().time for generating authentication tokens.valrandom1=Date().time.toInt()valc=Calendar.getInstance()// FAIL: [android-insecure-random-use] The app uses Calendar.getInstance().timeInMillis for generating authentication tokens.valrandom2=c.get(Calendar.MILLISECOND)return"Generated random numbers:\n$random1 \n$random2"}}
rules:-id:mastg-android-non-random-useseverity:WARNINGlanguages:-javametadata:summary:Thisrulelooksforcommonpatternsincludingclassesandmethodsthatrepresentnon-randomsourcese.g.via`Calendar.MILLISECOND`or`newDate()`.original_source:https://github.com/mindedsecurity/semgrep-rules-android-security/blob/main/rules/crypto/mstg-crypto-6.yamlmessage:"[MASVS-CRYPTO-1] The application makes use of non-random sources."pattern-either:-patterns:-pattern-inside:$M(...){...}-pattern-either:-pattern:newDate()-pattern:System.currentTimeMillis()-pattern:(Calendar$C).get(...)
The rule has identified some instances in the code file where an non-random source is used. The specified line numbers can be located in the original code for further investigation and remediation.