Skip to content

MASTG-TEST-0205: Non-random Sources Usage

Content in BETA

This content is in beta and still under active development, so it is subject to change any time (e.g. structure, IDs, content, URLs, etc.).

Send Feedback

Overview

Android applications sometimes use non-random sources to generate "random" values, leading to potential security vulnerabilities. Common practices include relying on the current time, such as Date().getTime(), or accessing Calendar.MILLISECOND to produce values that are easily guessable and reproducible.

Steps

  1. Run a static analysis ( Static Analysis on Android) tool on the app and look for uses of non-random sources.

Observation

The output should contain a list of locations where non-random sources are used.

Evaluation

The test case fails if you can find security-relevant values, such as passwords or tokens, generated using non-random sources.

Mitigations

Demos

MASTG-DEMO-0008: Uses of Non-random Sources