When scanning our ionic application that uses the local notifications plugin from the MOBSF security scanning tool, we are getting the below vulnerability related to the usage of Random Java object inside /notification/Builder.java :
The App uses an insecure Random Number Generator. CVSS V2: 7.5 (high) CWE: CWE-330 Use of Insufficiently Random Values OWASP Top 10: M5: Insufficient Cryptography OWASP MASVS: MSTG-CRYPTO-6
Insecure random number errors occur when a function that can produce predictable values is used as
a source of randomness in security-sensitive context. There are two types of PRNGs: statistical and
cryptographic. Statistical PRNGs provide useful statistical properties, but their output is highly
predictable and forms an easy to reproduce numeric stream that is unsuitable for use in cases where
security depends on generated values being unpredictable. Cryptographic PRNGs address this
problem by generating output that is more difficult to predict.
Dear Support Team,
When scanning our ionic application that uses the local notifications plugin from the MOBSF security scanning tool, we are getting the below vulnerability related to the usage of Random Java object inside /notification/Builder.java : The App uses an insecure Random Number Generator. CVSS V2: 7.5 (high) CWE: CWE-330 Use of Insufficiently Random Values OWASP Top 10: M5: Insufficient Cryptography OWASP MASVS: MSTG-CRYPTO-6
Insecure random number errors occur when a function that can produce predictable values is used as a source of randomness in security-sensitive context. There are two types of PRNGs: statistical and cryptographic. Statistical PRNGs provide useful statistical properties, but their output is highly predictable and forms an easy to reproduce numeric stream that is unsuitable for use in cases where security depends on generated values being unpredictable. Cryptographic PRNGs address this problem by generating output that is more difficult to predict.
Page: de/appplant/cordova/plugin/notification/Builder.java
Security Improvement: Use cryptographic pseudo-number generator to generate random numbers Check please the fix suggested in these links : https://www.geeksforgeeks.org/random-vs-secure-random-numbers-java/ and https://stackoverflow.com/questions/11051205/difference-between-java-util-random-and-java-security-securerandom where it is recommended to use SecureRandom
Your Environment
cordova -v
): 10.0.0cordova platform ls
): android 9.1.0Expected Behavior
replace the import of import java.util.Random; by java.util.SecureRandom to resolve the security issue
Actual Behavior
the actual import of java.util.Random is still present in /notification/Builder.java
Steps to Reproduce
Scan any APK that uses this plugin using MOBSF tool
Context
Android APK scanning
Debug logs
The Android security scanning logs are shown in the above attached screen captures .