diff --git a/Document/0x05e-Testing-Cryptography.md b/Document/0x05e-Testing-Cryptography.md index ca4eb0abd0..11561c7c5b 100644 --- a/Document/0x05e-Testing-Cryptography.md +++ b/Document/0x05e-Testing-Cryptography.md @@ -242,3 +242,5 @@ Cryptography requires secure pseudo random number generation (PRNG). Standard Ja In general, `SecureRandom` should be used. However, if the Android versions below Android 4.4 (API level 19) are supported, additional care needs to be taken in order to work around the bug in Android 4.1-4.3 (API level 16-18) versions that [failed to properly initialize the PRNG](https://android-developers.googleblog.com/2013/08/some-securerandom-thoughts.html "Some SecureRandom Thoughts"). Most developers should instantiate `SecureRandom` via the default constructor without any arguments. Other constructors are for more advanced uses and, if used incorrectly, can lead to decreased randomness and security. The PRNG provider backing `SecureRandom` uses the `SHA1PRNG` from `AndroidOpenSSL` (Conscrypt) provider. + +Check the [Android Documentation](https://developer.android.com/privacy-and-security/risks/weak-prng) for more details. diff --git a/mitigations/android-use-secure-random.md b/mitigations/android-use-secure-random.md index ef3f9c5367..776fca39bf 100644 --- a/mitigations/android-use-secure-random.md +++ b/mitigations/android-use-secure-random.md @@ -5,4 +5,7 @@ platform: android [`java.security.SecureRandom`](https://developer.android.com/reference/java/security/SecureRandom) uses SHA1PRNG by default to produce non-deterministic results from a seed based on system thread timing obtained from `dev/urandom`. This seeding occurs automatically during object construction or acquisition, eliminating the need for explicit seeding of the PRNG. -The default constructor is usually sufficient for generating secure random values. However, while other constructors are available for advanced use cases, their improper use could reduce the randomness of the output. Therefore, non-default constructors should be used with caution. +The default [no-argument constructor of `SecureRandom`](https://wiki.sei.cmu.edu/confluence/display/java/MSC02-J.+Generate+strong+random+numbers "Generation of Strong Random Numbers") is usually recommended for generating secure random values, as it uses the system-specified seed value to generate a 128-byte-long random number. + +Providing a hardcoded seed to the constructor of `SecureRandom` is [discouraged in the Android Documentation](https://developer.android.com/privacy-and-security/risks/weak-prng?source=studio#weak-prng-java-security-securerandom), as it may lead to introducing deterministic behavior of `SecureRandom` in some implementations. +The `SecureRandom` documentation explains that [the provided seed normally supplements, rather than replaces, the existing seed](https://developer.android.com/reference/java/security/SecureRandom?hl=en#setSeed(byte[])), but this may not apply if an [old security provider](https://android-developers.googleblog.com/2016/06/security-crypto-provider-deprecated-in.html) is used. diff --git a/tests-beta/android/MASVS-CRYPTO/MASTG-TEST-0204.md b/tests-beta/android/MASVS-CRYPTO/MASTG-TEST-0204.md index b9d64ed1a2..0b27f21ae4 100644 --- a/tests-beta/android/MASVS-CRYPTO/MASTG-TEST-0204.md +++ b/tests-beta/android/MASVS-CRYPTO/MASTG-TEST-0204.md @@ -2,7 +2,7 @@ platform: android title: Insecure Random API Usage id: MASTG-TEST-0204 -type: [static] +type: [static, dynamic] mitigations: - android-use-secure-random prerequisites: @@ -13,11 +13,15 @@ weakness: MASWE-0027 ## Overview -Android apps sometimes use insecure pseudorandom number generators (PRNGs) such as `java.util.Random`, which is essentially a linear congruential generator. This type of PRNG generates a predictable sequence of numbers for any given seed value, making the sequence reproducible and insecure for cryptographic use. In particular, `java.util.Random` and `Math.random()` ([the latter](https://franklinta.com/2014/08/31/predicting-the-next-math-random-in-java/) simply calling `nextDouble()` on a static `java.util.Random` instance) produce identical number sequences when initialized with the same seed across all Java implementations. +Android apps sometimes use an insecure [pseudorandom number generator (PRNG)](../../../Document/0x05e-Testing-Cryptography.md#random-number-generation) such as [`java.util.Random`](https://developer.android.com/reference/java/util/Random), which is essentially a linear congruential generator. This type of PRNG generates a predictable sequence of numbers for any given seed value, making the sequence reproducible and insecure for cryptographic use. In particular, `java.util.Random` and `Math.random()` ([the latter](https://franklinta.com/2014/08/31/predicting-the-next-math-random-in-java/) simply calling `nextDouble()` on a static `java.util.Random` instance) produces identical number sequences when initialized with the same seed across all Java implementations. +In general, if a PRNG is not advertised as being cryptographically secure, then it is probably a statistical PRNG and should not be used in security-sensitive contexts. +See the [Android Documentation](https://developer.android.com/privacy-and-security/risks/weak-prng) and the guide on ["random number generation"](../../../Document/0x05e-Testing-Cryptography.md#random-number-generation) for details. ## Steps -1. Run a static analysis (@MASTG-TECH-0014) tool on the app and look for insecure random APIs. +1. Run a static analysis (@MASTG-TECH-0014) tool on the app and look for insecure random APIs, or you can use @MASTG-TECH-0033 to detect the use of such APIs. +2. For each of the identified API uses, check if they are used in a security relevant context. +For this, you can reverse engineer the app (@MASTG-TECH-0017) and inspect the code(@MASTG-TECH-0023). ## Observation @@ -25,4 +29,4 @@ The output should contain a list of locations where insecure random APIs are use ## Evaluation -The test case fails if you can find random numbers generated using those APIs that are used in security-relevant contexts. +The test case fails if you can find random numbers generated using those APIs that are used in security-relevant contexts, such as generating passwords or authentication tokens. diff --git a/tests/android/MASVS-CRYPTO/MASTG-TEST-0016.md b/tests/android/MASVS-CRYPTO/MASTG-TEST-0016.md index 53c827517d..88b4a05326 100644 --- a/tests/android/MASVS-CRYPTO/MASTG-TEST-0016.md +++ b/tests/android/MASVS-CRYPTO/MASTG-TEST-0016.md @@ -8,6 +8,9 @@ title: Testing Random Number Generation masvs_v1_levels: - L1 - L2 +status: deprecated +covered_by: ['MASTG-TEST-0204', 'MASTG-TEST-0205'] +deprecation_reason: New version available in MASTG V2 --- ## Overview