search

Appboy / appboy-android-sdk

Public repo for the Braze Android SDK
https://www.braze.com
Other
153 stars 103 forks source link

[Bug]: The App uses an insecure Random Number Generator. #254

Closed krishnapatait closed 1 year ago

krishnapatait commented 1 year ago

Braze Android SDK Version

23.0.1

Steps To Reproduce

CWE: CWE-330: Use of Insufficiently Random Values OWASP Top 10: M5: Insufficient Cryptography OWASP MASVS: MSTG-CRYPTO-6

Expected Behavior

Secure randomisation should be used.

Actual Incorrect Behavior

Insecure randomization is used

Verbose Logs

IntentUtils.java

com.braze.support.IntentUtils.java 
import java.util.Random;
getRandom()
getRequestCode() 

d1.java
bo.appd1.java
random.nextInt(Math.abs(i - i2) + 1) + Math.min(i, i2)

Additional Information

We need to resolve this as soon as possible.

radixdev commented 1 year ago

That request code is not used to secure any private information. Braze Intents are secured via explicit package class assignment, as per Android recommendations.

Thus the "insecure cryptography" error does not apply here. Usually tools will just see random and flag them but are not sophisticated enough to understand the usage.