MASTG-TEST-0205: Non-random Sources Usage

Overview

Android applications sometimes use non-random sources to generate "random" values, leading to potential security vulnerabilities. Common practices include relying on the current time, such as Date().getTime(), or accessing Calendar.MILLISECOND to produce values that are easily guessable and reproducible.

Steps

1. Run a static analysis ( Static Analysis on Android) tool on the app and look for uses of non-random sources.

Observation

The output should contain a list of locations where non-random sources are used.

Evaluation

The test case fails if you can find security-relevant values, such as passwords or tokens, generated using non-random sources.

Mitigations

• Use Secure Random Number Generator APIs

Demos

MASTG-DEMO-0008: Uses of Non-random Sources