Skip to content

MASTG-TEST-0205: Non-random Sources Usage

Overview

Android applications sometimes use non-random sources to generate "random" values, leading to potential security vulnerabilities. Common practices include relying on the current time, such as Date().getTime(), or accessing Calendar.MILLISECOND to produce values that are easily guessable and reproducible.

Steps

  1. Use Reverse Engineering Android Apps to reverse engineer the app.
  2. Use Static Analysis on Android to look for the relevant APIs.

Observation

The output should contain a list of locations where non-random sources are used.

Evaluation

The test case fails if you can find security-relevant values, such as passwords or tokens, generated using non-random sources.

Further Validation Required:

Inspect each reported code location using Reviewing Decompiled Java Code to determine whether the usage is security-relevant:

  • Determine whether the generated values are used for security-relevant purposes, such as generating cryptographic keys, initialization vectors (IVs), nonces, authentication tokens, session identifiers, passwords, or PINs.

Best Practices

MASTG-BEST-0001: Use Secure Random Number Generator APIs

Demos

MASTG-DEMO-0008: Uses of Non-random Sources