mvayngrib
commented
4 years ago @lhuria94 what makes u say it uses a predictable random number generator?
Open lhuria94 opened 4 years ago
mvayngrib
commented
4 years ago @lhuria94 what makes u say it uses a predictable random number generator?
lhuria94
commented
4 years ago I am not saying, its the scan by the security team.
Here is the example reference they provided:
With details like:
mvayngrib
commented
4 years ago this it the randombytes module used: https://github.com/mvayngrib/react-native-randombytes
the method of getting random bytes depends on async/sync usage: https://github.com/mvayngrib/react-native-randombytes#usage
the async method: https://github.com/mvayngrib/react-native-randombytes/blob/master/RNRandomBytes.m#L32
the sync method uses SJCL with a random seed generated by SecRandomCopyBytes
lhuria94
commented
4 years ago Oh okay, that means instead of using it like:
const password = crypto.randomBytes(10).toString('hex');
We should use:
// asynchronous API
// uses iOS-side SecRandomCopyBytes
const password = randomBytes(10, (err, bytes) => {
// bytes is a Buffer object
return bytes.toString('hex'));
})@lhuria94 yes, that would be the more secure way to use it. I've been meaning to update react-native-randombytes to use the newly available synchronous react-native bridge methods (via RCT_EXPORT_SYNCHRONOUS_TYPED_METHOD), so that the sync method would work as well but haven't gotten to it yet
lhuria94
commented
4 years ago No worries, Thanks a lot for the quick help. Ill update if this resolves the security issue.
Issue: The mobile application uses a predictable Random Number Generator (RNG). Under certain conditions this weakness may jeopardize mobile application data encryption or other protection based on randomization. For example, if encryption tokens are generated inside of the application and an attacker can provide application with a predictable token to validate and then execute a sensitive activity within the application or its backend.
Reference:
Can you help if this is related to crypto randomBytes function?