Skip to content

MASTG-TEST-0204: Insecure Random API Usage

Overview

Android apps sometimes use an insecure pseudorandom number generator (PRNG), such as java.util.Random, which is a linear congruential generator and produces a predictable sequence for any given seed value. As a result, java.util.Random and Math.random() (the latter simply calls nextDouble() on a static java.util.Random instance) generate reproducible sequences across all Java implementations whenever the same seed is used. This predictability makes them unsuitable for cryptographic or other security-sensitive contexts.

In general, if a PRNG is not explicitly documented as being cryptographically secure, it should not be used where randomness must be unpredictable. Refer to the Android Documentation and the "random number generation" guide for further details.

Steps

  1. Use Reverse Engineering Android Apps to reverse engineer the app.
  2. Use Static Analysis on Android to look for the relevant APIs.

Observation

The output should contain a list of locations where insecure random APIs are used.

Evaluation

The test case fails if you can find random numbers generated using those APIs that are used in security-relevant contexts, such as generating passwords or authentication tokens.

Further Validation Required:

Inspect each reported code location using Reviewing Decompiled Java Code to determine whether the usage is security-relevant:

  • Determine whether the generated random values are used for security-relevant purposes, such as generating cryptographic keys, initialization vectors (IVs), nonces, authentication tokens, session identifiers, passwords, or PINs.

Best Practices

MASTG-BEST-0001: Use Secure Random Number Generator APIs

Demos

MASTG-DEMO-0007: Common Uses of Insecure Random APIs