Security exception analysis required on plugin

[jdixosnd]

Please find the comments raised by our security team with respect to some microblink libraries. It will be great if you analyse below and provide your inputs.

CWE-921 - External data storage Description:The mobile application can access external storage (e.g. SD card) in read or write mode. The application's data stored on the external data storage may be accessed by other applications (including malicious ones) under certain conditions and bring risks of data corruption or tampering. Example of insecure code: / Checks if external storage is available for read and write / public boolean isExternalStorageWritable() { String state = Environment.getExternalStorageState(); if (Environment.MEDIA_MOUNTED.equals(state)) { return true; } return false; }

/ Checks if external storage is available to at least read / public boolean isExternalStorageReadable() { String state = Environment.getExternalStorageState(); if (Environment.MEDIA_MOUNTED.equals(state) || Environment.MEDIA_MOUNTED_READ_ONLY.equals(state)) { return true; } return false; } Example of secure code: // If you use external storage you should perform input validation. // In the case that you use external storage for executables files, // these files should be signed and cryptographically verified. Details: There is 'getExternalStorageState()' found in file 'org/apache/cordova/camera/CameraLauncher.java': line 133: File externalCacheDir; line 134: if (Environment.getExternalStorageState().equals("mounted")) { line 135: externalCacheDir = this.cordova.getActivity().getExternalCacheDir(); line 1181: private Uri whichContentStore() { line 1182: if (Environment.getExternalStorageState().equals("mounted")) { line 1183: return Media.EXTERNAL_CONTENTURI; There is 'getExternalStorageState()' found in file 'com/microblink/f/b.java': line 18: if (b == null) { line 19: if (Environment.getExternalStorageState().equals("mounted")) { line 20: b = Environment.getExternalStorageDirectory() + "/microblink"; There is 'getExternalCacheDir()' found in file 'org/apache/cordova/camera/CameraLauncher.java': line 134: if (Environment.getExternalStorageState().equals("mounted")) { line 135: externalCacheDir = this.cordova.getActivity().getExternalCacheDir(); line 136: } else { There is 'getExternalStoragePublicDirectory()' found in file 'org/apache/cordova/camera/CameraLauncher.java': line 501: String str = "IMG" + new SimpleDateFormat("yyyyMMdd_HHmmss").format(new Date()) + (this.encodingType == 0 ? ".jpg" : ".png"); line 502: File externalStoragePublicDirectory = Environment.getExternalStoragePublicDirectory(Environment.DIRECTORY_PICTURES); line 503: externalStoragePublicDirectory.mkdirs(); There is 'getExternalStoragePublicDirectory()' found in file 'it/nexxa/base64ToGallery/Base64ToGallery.java': line 51: if (str2.compareTo("2.3.3") >= 1) { line 52: externalStoragePublicDirectory = Environment.getExternalStoragePublicDirectory(Environment.DIRECTORY_PICTURES); line 53: if (externalStoragePublicDirectory.exists()) { There is 'getExternalStorageDirectory()' found in file 'org/apache/cordova/camera/CameraLauncher.java': line 1286: private String getFileNameFromUri(Uri uri) { line 1287: return Environment.getExternalStorageDirectory().getAbsolutePath() + uri.toString().split("external_files")[1]; line 1288: } There is 'getExternalStorageDirectory()' found in file 'org/apache/cordova/camera/FileHelper.java': line 52: if ("primary".equalsIgnoreCase(split[0])) { line 53: return Environment.getExternalStorageDirectory() + "/" + split[1]; line 54: } There is 'getExternalStorageDirectory()' found in file 'org/apache/cordova/camera/CordovaUri.java': line 38: private String getFileNameFromUri(Uri uri) { line 39: return Environment.getExternalStorageDirectory().getAbsolutePath() + uri.toString().split("external_files")[1]; line 40: } There is 'getExternalStorageDirectory()' found in file 'it/nexxa/base64ToGallery/Base64ToGallery.java': line 59: } else { line 60: file = Environment.getExternalStorageDirectory(); line 61: } There is 'getExternalStorageDirectory()' found in file 'com/microblink/f/b.java': line 19: if (Environment.getExternalStorageState().equals("mounted")) { line 20: b = Environment.getExternalStorageDirectory() + "/microblink"; line 21: } else if (context != null) { CVSSv3 Base Score: 5.3 (AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L) Reference: • https://developer.android.com/training/basics/data-storage/files.html

2. Predictable Random Number Generator [M5] [CWE-338] [SAST]MEDIUM Description:The mobile application uses a predictable Random Number Generator (RNG). Under certain conditions this weakness may jeopardize mobile application data encryption or other protection based on randomization. For example, if encryption tokens are generated inside of the application and an attacker can provide application with a predictable token to validate and then execute a sensitive activity within the application or its backend. Example of insecure code: Random random = new Random(); byte bytes[] = new byte[20]; random.nextBytes(bytes); Example of secure code: SecureRandom random = new SecureRandom(); byte bytes[] = new byte[20]; random.nextBytes(bytes); Details: There is 'new Random()' found in file 'com/microblink/view/b/c.java': line 64: this.c = i2; line 65: this.f = new Random(); line 66: this.b = new Handler();

[i1E]

Hi @jdixosnd,

1) Our SDK does not require external storage permission and it does not read/write any data to/from the external storage. Please check if you are using the external storage in your application code, or maybe some other dependency uses the external storage. You can remove declaration for external storage permission if your application does not need the external storage.

2) We are using the random number generator just to randomize drawing of animated dots as camera overlay, over the recognized OCR characters, so it is not a security issue.