Skip to content
Last updated: July 10, 2024

MASTG-DEMO-0008: Common Uses of Insecure Random APIs

Content in BETA

This content is in beta and still under active development, so it is subject to change any time (e.g. structure, IDs, content, URLs, etc.).

Send Feedback

Sample

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
package org.owasp.mastestapp

import android.content.Context
import java.util.Calendar
import java.util.Date

class MastgTest (private val context: Context){

    fun mastgTest(): String {
        // SUMMARY: This sample demonstrates different ways of creating non-random tokens in Java.

        // FAIL: [android-insecure-random-use] The app uses Date().time for generating authentication tokens.
        val random1 = Date().time.toInt()

        val c = Calendar.getInstance()
        // FAIL: [android-insecure-random-use] The app uses Calendar.getInstance().timeInMillis for generating authentication tokens.
        val random2 = c.get(Calendar.MILLISECOND)

        return "Generated random numbers:\n$random1 \n$random2"
    }

}
 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
package org.owasp.mastestapp;

import android.content.Context;
import java.util.Calendar;
import java.util.Date;
import kotlin.Metadata;
import kotlin.jvm.internal.Intrinsics;

/* compiled from: MastgTest.kt */
@Metadata(d1 = {"\u0000\u0018\n\u0002\u0018\u0002\n\u0002\u0010\u0000\n\u0000\n\u0002\u0018\u0002\n\u0002\b\u0002\n\u0002\u0010\u000e\n\u0000\b\u0007\u0018\u00002\u00020\u0001B\r\u0012\u0006\u0010\u0002\u001a\u00020\u0003¢\u0006\u0002\u0010\u0004J\u0006\u0010\u0005\u001a\u00020\u0006R\u000e\u0010\u0002\u001a\u00020\u0003X\u0082\u0004¢\u0006\u0002\n\u0000¨\u0006\u0007"}, d2 = {"Lorg/owasp/mastestapp/MastgTest;", "", "context", "Landroid/content/Context;", "(Landroid/content/Context;)V", "mastgTest", "", "app_debug"}, k = 1, mv = {1, 9, 0}, xi = 48)
/* loaded from: classes4.dex */
public final class MastgTest {
    public static final int $stable = 8;
    private final Context context;

    public MastgTest(Context context) {
        Intrinsics.checkNotNullParameter(context, "context");
        this.context = context;
    }

    public final String mastgTest() {
        int random1 = (int) new Date().getTime();
        Calendar c = Calendar.getInstance();
        int random2 = c.get(14);
        return "Generated random numbers:\n" + random1 + " \n" + random2;
    }
}

Steps

Let's run our semgrep rule against the sample code.

../../../../rules/mastg-android-non-random-use.yaml
 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
rules:
  - id: mastg-android-non-random-use
    severity: WARNING
    languages:
      - java
    metadata:
      summary: This rule looks for common patterns including classes and methods that represent non-random sources e.g. via `Calendar.MILLISECOND` or `new Date()`.
      original_source: https://github.com/mindedsecurity/semgrep-rules-android-security/blob/main/rules/crypto/mstg-crypto-6.yaml
    message: "[MASVS-CRYPTO-1] The application makes use of non-random sources."
    pattern-either:
        - patterns:
            - pattern-inside: $M(...){ ... }
            - pattern-either:
                - pattern: new Date()
                - pattern: System.currentTimeMillis()
                - pattern: (Calendar $C).get(...)
run.sh
1
NO_COLOR=true semgrep -c ../../../../rules/mastg-android-non-random-use.yaml ./MastgTest_reversed.java --text -o output.txt

Observation

The rule has identified some instances in the code file where an non-random source is used. The specified line numbers can be located in the original code for further investigation and remediation.

output.txt
 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
┌─────────────────┐
 2 Code Findings 
└─────────────────┘

    MastgTest_reversed.java 
       rules.mastg-android-non-random-use                                  
          [MASVS-CRYPTO-1] The application makes use of non-random sources.

           22 int random1 = (int) new Date().getTime();
            ⋮┆----------------------------------------
           24 int random2 = c.get(14);

Evaluation

Review each of the reported instances.