Skip to content

MASTG-TEST-0204: Insecure Random API Usage

Content in BETA

This content is in beta and still under active development, so it is subject to change any time (e.g. structure, IDs, content, URLs, etc.).

Send Feedback

Overview

Android apps sometimes use insecure pseudorandom number generators (PRNGs) such as java.util.Random, which is essentially a linear congruential generator. This type of PRNG generates a predictable sequence of numbers for any given seed value, making the sequence reproducible and insecure for cryptographic use. In particular, java.util.Random and Math.random() (the latter simply calling nextDouble() on a static java.util.Random instance) produce identical number sequences when initialized with the same seed across all Java implementations.

Steps

  1. Run a static analysis ( Static Analysis on Android) tool on the app and look for insecure random APIs.

Observation

The output should contain a list of locations where insecure random APIs are used.

Evaluation

The test case fails if you can find random numbers generated using those APIs that are used in security-relevant contexts.

Mitigations

Demos

MASTG-DEMO-0007: Common Uses of Insecure Random APIs