Skip to content

MASTG-TEST-0349: Runtime Use of Insecure Random APIs

Overview

If the app uses insecure pseudorandom number generators (PRNGs) at runtime, generated values can become predictable. This can lead to weak tokens, nonces, keys, or identifiers when those values are used in security-relevant contexts. This test checks whether the running app calls insecure random APIs, such as rand, random, and the *rand48 family, during relevant flows.

Steps

  1. Use Installing Apps to install the app.
  2. Use Method Hooking to hook the relevant APIs.
  3. Exercise the app extensively to trigger as many flows as possible and enter sensitive data wherever you can.

Observation

The output should contain runtime calls to insecure random APIs, including function names and backtraces.

Evaluation

The test case fails if random values produced by insecure APIs are used in security-relevant contexts.

Further Validation Required:

Using the backtraces from the hook output, inspect the code locations using Reviewing Disassembled Objective-C and Swift Code to determine whether the usage is security-relevant:

  • Determine whether the generated random values are used for security-relevant purposes, such as generating cryptographic keys, initialization vectors (IVs), nonces, authentication tokens, session identifiers, passwords, or PINs.

Best Practices

MASTG-BEST-0025: Use Secure Random Number Generator APIs

Demos

MASTG-DEMO-0074: Uses of Insecure Random Number Generation with frida-trace