PREDICTABLE RANDOM NUMBER GENERATOR [Security issue] #57
Comments
|
@lhuria94 what makes u say it uses a predictable random number generator? |
|
I am not saying, its the scan by the security team. Here is the example reference they provided:
With details like:
|
|
this it the randombytes module used: https://github.com/mvayngrib/react-native-randombytes the method of getting random bytes depends on async/sync usage: https://github.com/mvayngrib/react-native-randombytes#usage the async method: https://github.com/mvayngrib/react-native-randombytes/blob/master/RNRandomBytes.m#L32 the sync method uses SJCL with a random seed generated by SecRandomCopyBytes |
|
Oh okay, that means instead of using it like: We should use: |
|
@lhuria94 yes, that would be the more secure way to use it. I've been meaning to update react-native-randombytes to use the newly available synchronous react-native bridge methods (via RCT_EXPORT_SYNCHRONOUS_TYPED_METHOD), so that the sync method would work as well but haven't gotten to it yet |
|
No worries, Thanks a lot for the quick help. Ill update if this resolves the security issue. |
Issue:
The mobile application uses a predictable Random Number Generator (RNG).
Under certain conditions this weakness may jeopardize mobile application data encryption or other protection based on randomization. For example,
if encryption tokens are generated inside of the application and an attacker can provide application with a predictable token to validate and then
execute a sensitive activity within the application or its backend.
Reference:
Can you help if this is related to crypto randomBytes function?
The text was updated successfully, but these errors were encountered: