From cff59ef71c07e6f683e907c4af98772ead1aa254 Mon Sep 17 00:00:00 2001
From: Nuno Antunes <nuno.antunes@guardsquare.com>
Date: Mon, 4 Nov 2024 14:10:03 +0000
Subject: [PATCH 1/6] Mark MASTG-TEST-0016 as covered by v2

---
 tests-beta/android/MASVS-CRYPTO/MASTG-TEST-0204.md | 7 ++++---
 tests/android/MASVS-CRYPTO/MASTG-TEST-0016.md      | 3 +++
 2 files changed, 7 insertions(+), 3 deletions(-)

diff --git a/tests-beta/android/MASVS-CRYPTO/MASTG-TEST-0204.md b/tests-beta/android/MASVS-CRYPTO/MASTG-TEST-0204.md
index b9d64ed1a2..94c4bd32fd 100644
--- a/tests-beta/android/MASVS-CRYPTO/MASTG-TEST-0204.md
+++ b/tests-beta/android/MASVS-CRYPTO/MASTG-TEST-0204.md
@@ -2,7 +2,7 @@
 platform: android
 title: Insecure Random API Usage
 id: MASTG-TEST-0204
-type: [static]
+type: [static, dynamic]
 mitigations:
 - android-use-secure-random
 prerequisites:
@@ -14,10 +14,11 @@ weakness: MASWE-0027
 ## Overview
 
 Android apps sometimes use insecure pseudorandom number generators (PRNGs) such as `java.util.Random`, which is essentially a linear congruential generator. This type of PRNG generates a predictable sequence of numbers for any given seed value, making the sequence reproducible and insecure for cryptographic use. In particular, `java.util.Random` and `Math.random()` ([the latter](https://franklinta.com/2014/08/31/predicting-the-next-math-random-in-java/) simply calling `nextDouble()` on a static `java.util.Random` instance) produce identical number sequences when initialized with the same seed across all Java implementations.
+In general, if a PRNG is not advertised as being cryptographically secure, then it is probably a statistical PRNG and should not be used in security-sensitive contexts.
 
 ## Steps
 
-1. Run a static analysis (@MASTG-TECH-0014) tool on the app and look for insecure random APIs.
+1. Run a static analysis (@MASTG-TECH-0014) tool on the app and look for insecure random APIs, or you can use @MASTG-TECH-0033 to detect the use of such APIs.
 
 ## Observation
 
@@ -25,4 +26,4 @@ The output should contain a list of locations where insecure random APIs are use
 
 ## Evaluation
 
-The test case fails if you can find random numbers generated using those APIs that are used in security-relevant contexts.
+The test case fails if you can find random numbers generated using those APIs that are used in security-relevant contexts, such as passwords or tokens.
diff --git a/tests/android/MASVS-CRYPTO/MASTG-TEST-0016.md b/tests/android/MASVS-CRYPTO/MASTG-TEST-0016.md
index 53c827517d..88b4a05326 100644
--- a/tests/android/MASVS-CRYPTO/MASTG-TEST-0016.md
+++ b/tests/android/MASVS-CRYPTO/MASTG-TEST-0016.md
@@ -8,6 +8,9 @@ title: Testing Random Number Generation
 masvs_v1_levels:
 - L1
 - L2
+status: deprecated
+covered_by: ['MASTG-TEST-0204', 'MASTG-TEST-0205']
+deprecation_reason: New version available in MASTG V2
 ---
 
 ## Overview

From f26d1f0ef2dc4a779d2cd6125cf45935a3369041 Mon Sep 17 00:00:00 2001
From: Nuno Antunes <nuno.antunes@guardsquare.com>
Date: Mon, 4 Nov 2024 14:29:32 +0000
Subject: [PATCH 2/6] Add documentation refs

---
 Document/0x05e-Testing-Cryptography.md             | 2 ++
 tests-beta/android/MASVS-CRYPTO/MASTG-TEST-0204.md | 3 ++-
 2 files changed, 4 insertions(+), 1 deletion(-)

diff --git a/Document/0x05e-Testing-Cryptography.md b/Document/0x05e-Testing-Cryptography.md
index ca4eb0abd0..4018717631 100644
--- a/Document/0x05e-Testing-Cryptography.md
+++ b/Document/0x05e-Testing-Cryptography.md
@@ -242,3 +242,5 @@ Cryptography requires secure pseudo random number generation (PRNG). Standard Ja
 In general, `SecureRandom` should be used. However, if the Android versions below Android 4.4 (API level 19) are supported, additional care needs to be taken in order to work around the bug in Android 4.1-4.3 (API level 16-18) versions that [failed to properly initialize the PRNG](https://android-developers.googleblog.com/2013/08/some-securerandom-thoughts.html "Some SecureRandom Thoughts").
 
 Most developers should instantiate `SecureRandom` via the default constructor without any arguments. Other constructors are for more advanced uses and, if used incorrectly, can lead to decreased randomness and security. The PRNG provider backing `SecureRandom` uses the `SHA1PRNG` from `AndroidOpenSSL` (Conscrypt) provider.
+
+Check [Android Documentation](https://developer.android.com/privacy-and-security/risks/weak-prng) for details.
diff --git a/tests-beta/android/MASVS-CRYPTO/MASTG-TEST-0204.md b/tests-beta/android/MASVS-CRYPTO/MASTG-TEST-0204.md
index 94c4bd32fd..7ec06df345 100644
--- a/tests-beta/android/MASVS-CRYPTO/MASTG-TEST-0204.md
+++ b/tests-beta/android/MASVS-CRYPTO/MASTG-TEST-0204.md
@@ -13,8 +13,9 @@ weakness: MASWE-0027
 
 ## Overview
 
-Android apps sometimes use insecure pseudorandom number generators (PRNGs) such as `java.util.Random`, which is essentially a linear congruential generator. This type of PRNG generates a predictable sequence of numbers for any given seed value, making the sequence reproducible and insecure for cryptographic use. In particular, `java.util.Random` and `Math.random()` ([the latter](https://franklinta.com/2014/08/31/predicting-the-next-math-random-in-java/) simply calling `nextDouble()` on a static `java.util.Random` instance) produce identical number sequences when initialized with the same seed across all Java implementations.
+Android apps sometimes use insecure pseudorandom number generators (PRNGs) such as [`java.util.Random`](https://developer.android.com/reference/java/util/Random), which is essentially a linear congruential generator. This type of PRNG generates a predictable sequence of numbers for any given seed value, making the sequence reproducible and insecure for cryptographic use. In particular, `java.util.Random` and `Math.random()` ([the latter](https://franklinta.com/2014/08/31/predicting-the-next-math-random-in-java/) simply calling `nextDouble()` on a static `java.util.Random` instance) produce identical number sequences when initialized with the same seed across all Java implementations.
 In general, if a PRNG is not advertised as being cryptographically secure, then it is probably a statistical PRNG and should not be used in security-sensitive contexts.
+See [Android Documentation](https://developer.android.com/privacy-and-security/risks/weak-prng) and the guide on ["random number generation"](../../../Document/0x05e-Testing-Cryptography.md#random-number-generation) for details.
 
 ## Steps
 

From d906a3fe915fb120dfc2c0cccfe485370ea5399c Mon Sep 17 00:00:00 2001
From: Nuno Antunes <nmsantunes@gmail.com>
Date: Tue, 5 Nov 2024 09:50:26 +0000
Subject: [PATCH 3/6] Apply suggestions from code review

Reviewer suggestions

Co-authored-by: Carlos Holguera <perezholguera@gmail.com>
---
 Document/0x05e-Testing-Cryptography.md             | 2 +-
 tests-beta/android/MASVS-CRYPTO/MASTG-TEST-0204.md | 4 ++--
 2 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/Document/0x05e-Testing-Cryptography.md b/Document/0x05e-Testing-Cryptography.md
index 4018717631..11561c7c5b 100644
--- a/Document/0x05e-Testing-Cryptography.md
+++ b/Document/0x05e-Testing-Cryptography.md
@@ -243,4 +243,4 @@ In general, `SecureRandom` should be used. However, if the Android versions belo
 
 Most developers should instantiate `SecureRandom` via the default constructor without any arguments. Other constructors are for more advanced uses and, if used incorrectly, can lead to decreased randomness and security. The PRNG provider backing `SecureRandom` uses the `SHA1PRNG` from `AndroidOpenSSL` (Conscrypt) provider.
 
-Check [Android Documentation](https://developer.android.com/privacy-and-security/risks/weak-prng) for details.
+Check the [Android Documentation](https://developer.android.com/privacy-and-security/risks/weak-prng) for more details.
diff --git a/tests-beta/android/MASVS-CRYPTO/MASTG-TEST-0204.md b/tests-beta/android/MASVS-CRYPTO/MASTG-TEST-0204.md
index 7ec06df345..a2a3e96cb6 100644
--- a/tests-beta/android/MASVS-CRYPTO/MASTG-TEST-0204.md
+++ b/tests-beta/android/MASVS-CRYPTO/MASTG-TEST-0204.md
@@ -13,7 +13,7 @@ weakness: MASWE-0027
 
 ## Overview
 
-Android apps sometimes use insecure pseudorandom number generators (PRNGs) such as [`java.util.Random`](https://developer.android.com/reference/java/util/Random), which is essentially a linear congruential generator. This type of PRNG generates a predictable sequence of numbers for any given seed value, making the sequence reproducible and insecure for cryptographic use. In particular, `java.util.Random` and `Math.random()` ([the latter](https://franklinta.com/2014/08/31/predicting-the-next-math-random-in-java/) simply calling `nextDouble()` on a static `java.util.Random` instance) produce identical number sequences when initialized with the same seed across all Java implementations.
+Android apps sometimes use insecure [pseudorandom number generators (PRNGs)](../../../Document/0x05e-Testing-Cryptography.md#random-number-generation) such as [`java.util.Random`](https://developer.android.com/reference/java/util/Random), which is essentially a linear congruential generator. This type of PRNG generates a predictable sequence of numbers for any given seed value, making the sequence reproducible and insecure for cryptographic use. In particular, `java.util.Random` and `Math.random()` ([the latter](https://franklinta.com/2014/08/31/predicting-the-next-math-random-in-java/) simply calling `nextDouble()` on a static `java.util.Random` instance) produce identical number sequences when initialized with the same seed across all Java implementations.
 In general, if a PRNG is not advertised as being cryptographically secure, then it is probably a statistical PRNG and should not be used in security-sensitive contexts.
 See [Android Documentation](https://developer.android.com/privacy-and-security/risks/weak-prng) and the guide on ["random number generation"](../../../Document/0x05e-Testing-Cryptography.md#random-number-generation) for details.
 
@@ -27,4 +27,4 @@ The output should contain a list of locations where insecure random APIs are use
 
 ## Evaluation
 
-The test case fails if you can find random numbers generated using those APIs that are used in security-relevant contexts, such as passwords or tokens.
+The test case fails if you can find random numbers generated using those APIs that are used in security-relevant contexts, such as generating passwords or authentication tokens.

From 87ee9674e3a4a8f1efe7f7a1eaeeb7e9017179aa Mon Sep 17 00:00:00 2001
From: Nuno Antunes <nuno.antunes@guardsquare.com>
Date: Tue, 5 Nov 2024 10:27:31 +0000
Subject: [PATCH 4/6] Complemented analysis and mitigations

---
 mitigations/android-use-secure-random.md           | 2 +-
 tests-beta/android/MASVS-CRYPTO/MASTG-TEST-0204.md | 4 +++-
 2 files changed, 4 insertions(+), 2 deletions(-)

diff --git a/mitigations/android-use-secure-random.md b/mitigations/android-use-secure-random.md
index ef3f9c5367..9b068bbf71 100644
--- a/mitigations/android-use-secure-random.md
+++ b/mitigations/android-use-secure-random.md
@@ -5,4 +5,4 @@ platform: android
 
 [`java.security.SecureRandom`](https://developer.android.com/reference/java/security/SecureRandom) uses SHA1PRNG by default to produce non-deterministic results from a seed based on system thread timing obtained from `dev/urandom`. This seeding occurs automatically during object construction or acquisition, eliminating the need for explicit seeding of the PRNG.
 
-The default constructor is usually sufficient for generating secure random values. However, while other constructors are available for advanced use cases, their improper use could reduce the randomness of the output. Therefore, non-default constructors should be used with caution.
+The default [no-argument constructor of `SecureRandom`](https://wiki.sei.cmu.edu/confluence/display/java/MSC02-J.+Generate+strong+random+numbers "Generation of Strong Random Numbers") is usually sufficient for generating secure random values, as it uses the system-specified seed value to generate a 128-byte-long random number.
diff --git a/tests-beta/android/MASVS-CRYPTO/MASTG-TEST-0204.md b/tests-beta/android/MASVS-CRYPTO/MASTG-TEST-0204.md
index a2a3e96cb6..c288a7c97f 100644
--- a/tests-beta/android/MASVS-CRYPTO/MASTG-TEST-0204.md
+++ b/tests-beta/android/MASVS-CRYPTO/MASTG-TEST-0204.md
@@ -15,11 +15,13 @@ weakness: MASWE-0027
 
 Android apps sometimes use insecure [pseudorandom number generators (PRNGs)](../../../Document/0x05e-Testing-Cryptography.md#random-number-generation) such as [`java.util.Random`](https://developer.android.com/reference/java/util/Random), which is essentially a linear congruential generator. This type of PRNG generates a predictable sequence of numbers for any given seed value, making the sequence reproducible and insecure for cryptographic use. In particular, `java.util.Random` and `Math.random()` ([the latter](https://franklinta.com/2014/08/31/predicting-the-next-math-random-in-java/) simply calling `nextDouble()` on a static `java.util.Random` instance) produce identical number sequences when initialized with the same seed across all Java implementations.
 In general, if a PRNG is not advertised as being cryptographically secure, then it is probably a statistical PRNG and should not be used in security-sensitive contexts.
-See [Android Documentation](https://developer.android.com/privacy-and-security/risks/weak-prng) and the guide on ["random number generation"](../../../Document/0x05e-Testing-Cryptography.md#random-number-generation) for details.
+See the [Android Documentation](https://developer.android.com/privacy-and-security/risks/weak-prng) and the guide on ["random number generation"](../../../Document/0x05e-Testing-Cryptography.md#random-number-generation) for details.
 
 ## Steps
 
 1. Run a static analysis (@MASTG-TECH-0014) tool on the app and look for insecure random APIs, or you can use @MASTG-TECH-0033 to detect the use of such APIs.
+2. For each of the identified API uses, check if they are used in a security relevant context.
+For this, you can reverse engineer the app (@MASTG-TECH-0017) and inspect the code(@MASTG-TECH-0023).
 
 ## Observation
 

From b4b80028222834b0e1e0c0cdca40f67fc0f16cdc Mon Sep 17 00:00:00 2001
From: Nuno Antunes <nuno.antunes@guardsquare.com>
Date: Wed, 6 Nov 2024 10:07:47 +0000
Subject: [PATCH 5/6] Add links to mitigations

---
 mitigations/android-use-secure-random.md | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/mitigations/android-use-secure-random.md b/mitigations/android-use-secure-random.md
index 9b068bbf71..e1c3c7bb9b 100644
--- a/mitigations/android-use-secure-random.md
+++ b/mitigations/android-use-secure-random.md
@@ -5,4 +5,7 @@ platform: android
 
 [`java.security.SecureRandom`](https://developer.android.com/reference/java/security/SecureRandom) uses SHA1PRNG by default to produce non-deterministic results from a seed based on system thread timing obtained from `dev/urandom`. This seeding occurs automatically during object construction or acquisition, eliminating the need for explicit seeding of the PRNG.
 
-The default [no-argument constructor of `SecureRandom`](https://wiki.sei.cmu.edu/confluence/display/java/MSC02-J.+Generate+strong+random+numbers "Generation of Strong Random Numbers") is usually sufficient for generating secure random values, as it uses the system-specified seed value to generate a 128-byte-long random number.
+The default [no-argument constructor of `SecureRandom`](https://wiki.sei.cmu.edu/confluence/display/java/MSC02-J.+Generate+strong+random+numbers "Generation of Strong Random Numbers") is usually recommended for generating secure random values, as it uses the system-specified seed value to generate a 128-byte-long random number.
+
+Providing an hard coded seed to the constructor of `SecureRandom` is [discouraged in Android Documentation](https://developer.android.com/privacy-and-security/risks/weak-prng?source=studio#weak-prng-java-security-securerandom), as it may lead to introducing deterministic behavior of  `SecureRandom` in some implementations.
+`SecureRandom` documentation explains that [the provided seed supplements, rather than replacing the existing seed](https://developer.android.com/reference/java/security/SecureRandom?hl=en#setSeed(byte[])), but this may not apply if an [old security provider](https://android-developers.googleblog.com/2016/06/security-crypto-provider-deprecated-in.html) is being used.

From 7f1db9ac35011cdbc13c8702b13ae07786ab6f90 Mon Sep 17 00:00:00 2001
From: Nuno Antunes <nmsantunes@gmail.com>
Date: Thu, 7 Nov 2024 16:27:18 +0000
Subject: [PATCH 6/6] Apply suggestions from code review

Co-authored-by: Jeroen Beckers <me.githbub@dauntless.be>
---
 mitigations/android-use-secure-random.md           | 4 ++--
 tests-beta/android/MASVS-CRYPTO/MASTG-TEST-0204.md | 2 +-
 2 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/mitigations/android-use-secure-random.md b/mitigations/android-use-secure-random.md
index e1c3c7bb9b..776fca39bf 100644
--- a/mitigations/android-use-secure-random.md
+++ b/mitigations/android-use-secure-random.md
@@ -7,5 +7,5 @@ platform: android
 
 The default [no-argument constructor of `SecureRandom`](https://wiki.sei.cmu.edu/confluence/display/java/MSC02-J.+Generate+strong+random+numbers "Generation of Strong Random Numbers") is usually recommended for generating secure random values, as it uses the system-specified seed value to generate a 128-byte-long random number.
 
-Providing an hard coded seed to the constructor of `SecureRandom` is [discouraged in Android Documentation](https://developer.android.com/privacy-and-security/risks/weak-prng?source=studio#weak-prng-java-security-securerandom), as it may lead to introducing deterministic behavior of  `SecureRandom` in some implementations.
-`SecureRandom` documentation explains that [the provided seed supplements, rather than replacing the existing seed](https://developer.android.com/reference/java/security/SecureRandom?hl=en#setSeed(byte[])), but this may not apply if an [old security provider](https://android-developers.googleblog.com/2016/06/security-crypto-provider-deprecated-in.html) is being used.
+Providing a hardcoded seed to the constructor of `SecureRandom` is [discouraged in the Android Documentation](https://developer.android.com/privacy-and-security/risks/weak-prng?source=studio#weak-prng-java-security-securerandom), as it may lead to introducing deterministic behavior of  `SecureRandom` in some implementations.
+The `SecureRandom` documentation explains that [the provided seed normally supplements, rather than replaces, the existing seed](https://developer.android.com/reference/java/security/SecureRandom?hl=en#setSeed(byte[])), but this may not apply if an [old security provider](https://android-developers.googleblog.com/2016/06/security-crypto-provider-deprecated-in.html) is used.
diff --git a/tests-beta/android/MASVS-CRYPTO/MASTG-TEST-0204.md b/tests-beta/android/MASVS-CRYPTO/MASTG-TEST-0204.md
index c288a7c97f..0b27f21ae4 100644
--- a/tests-beta/android/MASVS-CRYPTO/MASTG-TEST-0204.md
+++ b/tests-beta/android/MASVS-CRYPTO/MASTG-TEST-0204.md
@@ -13,7 +13,7 @@ weakness: MASWE-0027
 
 ## Overview
 
-Android apps sometimes use insecure [pseudorandom number generators (PRNGs)](../../../Document/0x05e-Testing-Cryptography.md#random-number-generation) such as [`java.util.Random`](https://developer.android.com/reference/java/util/Random), which is essentially a linear congruential generator. This type of PRNG generates a predictable sequence of numbers for any given seed value, making the sequence reproducible and insecure for cryptographic use. In particular, `java.util.Random` and `Math.random()` ([the latter](https://franklinta.com/2014/08/31/predicting-the-next-math-random-in-java/) simply calling `nextDouble()` on a static `java.util.Random` instance) produce identical number sequences when initialized with the same seed across all Java implementations.
+Android apps sometimes use an insecure [pseudorandom number generator (PRNG)](../../../Document/0x05e-Testing-Cryptography.md#random-number-generation) such as [`java.util.Random`](https://developer.android.com/reference/java/util/Random), which is essentially a linear congruential generator. This type of PRNG generates a predictable sequence of numbers for any given seed value, making the sequence reproducible and insecure for cryptographic use. In particular, `java.util.Random` and `Math.random()` ([the latter](https://franklinta.com/2014/08/31/predicting-the-next-math-random-in-java/) simply calling `nextDouble()` on a static `java.util.Random` instance) produces identical number sequences when initialized with the same seed across all Java implementations.
 In general, if a PRNG is not advertised as being cryptographically secure, then it is probably a statistical PRNG and should not be used in security-sensitive contexts.
 See the [Android Documentation](https://developer.android.com/privacy-and-security/risks/weak-prng) and the guide on ["random number generation"](../../../Document/0x05e-Testing-Cryptography.md#random-number-generation) for details.