usage of insecure Random Number Generator in /notification/Builder.java

nfmobile commented 3 years ago

Dear Support Team,

When scanning our ionic application that uses the local notifications plugin from the MOBSF security scanning tool, we are getting the below vulnerability related to the usage of Random Java object inside /notification/Builder.java : The App uses an insecure Random Number Generator. CVSS V2: 7.5 (high) CWE: CWE-330 Use of Insufficiently Random Values OWASP Top 10: M5: Insufficient Cryptography OWASP MASVS: MSTG-CRYPTO-6

Insecure random number errors occur when a function that can produce predictable values is used as a source of randomness in security-sensitive context. There are two types of PRNGs: statistical and cryptographic. Statistical PRNGs provide useful statistical properties, but their output is highly predictable and forms an easy to reproduce numeric stream that is unsuitable for use in cases where security depends on generated values being unpredictable. Cryptographic PRNGs address this problem by generating output that is more difficult to predict.

Page: de/appplant/cordova/plugin/notification/Builder.java

Security Improvement: Use cryptographic pseudo-number generator to generate random numbers Check please the fix suggested in these links : https://www.geeksforgeeks.org/random-vs-secure-random-numbers-java/ and https://stackoverflow.com/questions/11051205/difference-between-java-util-random-and-java-security-securerandom where it is recommended to use SecureRandom secure_random_1 secure_random_2

Your Environment

Plugin version: 0.9.0-beta.2
Platform: android
OS version: android 9.1.0
Device manufacturer / model: huawei y9
Cordova version (cordova -v): 10.0.0
Cordova platform version (cordova platform ls): android 9.1.0
Plugin config: <plugin xmlns="http://apache.org/cordova/ns/plugins/1.0" xmlns:android="http://schemas.android.com/apk/res/android" id="cordova-plugin-local-notification" version="0.9.0-beta.2">
Ionic Version (if using Ionic): 5.4.16

Expected Behavior

replace the import of import java.util.Random; by java.util.SecureRandom to resolve the security issue

Actual Behavior

the actual import of java.util.Random is still present in /notification/Builder.java

Steps to Reproduce

Scan any APK that uses this plugin using MOBSF tool

Context

Android APK scanning

Debug logs

The Android security scanning logs are shown in the above attached screen captures .

mahen23 commented 2 years ago

Meh

Sqwd commented 2 years ago

Meh

Quality response big boy

mlblount45 commented 7 months ago

Any ETA on a resolution for this security issue?

katzer / cordova-plugin-local-notifications