MASTG-TEST-0204: Insecure Random API Usage

Content in BETA

This content is in beta and still under active development, so it is subject to change any time (e.g. structure, IDs, content, URLs, etc.).

Send Feedback

Overview

Android apps sometimes use an insecure pseudorandom number generator (PRNG), such as java.util.Random, which is a linear congruential generator and produces a predictable sequence for any given seed value. As a result, java.util.Random and Math.random() (the latter simply calls nextDouble() on a static java.util.Random instance) generate reproducible sequences across all Java implementations whenever the same seed is used. This predictability makes them unsuitable for cryptographic or other security-sensitive contexts.

In general, if a PRNG is not explicitly documented as being cryptographically secure, it should not be used where randomness must be unpredictable. Refer to the Android Documentation and the "random number generation" guide for further details.

Steps

1. Run a static analysis ( Static Analysis on Android) tool on the app and look for insecure random APIs, or you can use Method Tracing to detect the use of such APIs.
2. For each of the identified API uses, check if they are used in a security relevant context. You can reverse engineer the app ( Decompiling Java Code) and inspect the code ( Reviewing Decompiled Java Code) to confirm.

Observation

The output should contain a list of locations where insecure random APIs are used.

Evaluation

The test case fails if you can find random numbers generated using those APIs that are used in security-relevant contexts, such as generating passwords or authentication tokens.

Mitigations

• Use Secure Random Number Generator APIs

Demos

MASTG-DEMO-0007: Common Uses of Insecure Random APIs