cordova-plugin-local-notifications usage of insecure Random Number Generator in /notification/Builder.java

usage of insecure Random Number Generator in /notification/Builder.java

Open nfmobile opened this issue 3 years ago • 3 comments

Dear Support Team,

When scanning our ionic application that uses the local notifications plugin from the MOBSF security scanning tool, we are getting the below vulnerability related to the usage of Random Java object inside /notification/Builder.java : The App uses an insecure Random Number Generator. CVSS V2: 7.5 (high) CWE: CWE-330 Use of Insufficiently Random Values OWASP Top 10: M5: Insufficient Cryptography OWASP MASVS: MSTG-CRYPTO-6

Insecure random number errors occur when a function that can produce predictable values is used as a source of randomness in security-sensitive context. There are two types of PRNGs: statistical and cryptographic. Statistical PRNGs provide useful statistical properties, but their output is highly predictable and forms an easy to reproduce numeric stream that is unsuitable for use in cases where security depends on generated values being unpredictable. Cryptographic PRNGs address this problem by generating output that is more difficult to predict.

Page: de/appplant/cordova/plugin/notification/Builder.java

Security Improvement: Use cryptographic pseudo-number generator to generate random numbers Check please the fix suggested in these links : https://www.geeksforgeeks.org/random-vs-secure-random-numbers-java/ and https://stackoverflow.com/questions/11051205/difference-between-java-util-random-and-java-security-securerandom where it is recommended to use SecureRandom secure_random_1 secure_random_2