Insufficient Cryptography

Hello All, My security team has reported below issue under severe category , please help me understand implications and solutions The application was found to be vulnerable because of issues related to the SecureRandom implementation. A static value is used each time the SecureRandom variable is created, which means that the results are not randomized on each individual instance. The code locations provided in the table below were identified as being the cause for the current risk status class Name : Lcom/crypho/plugins/AES;  Method Name: generateKeySpec class Name : Lorg/apache/cordova/CordovaBridge;  Method Name: generateBridgeSecret Appreciate your prompt response.   Thanks&Regards Salma
1 answers

Interestingly enough, this seems to be insecure by design. You can find the Java file here. In the source code, you will observe the following comment:


    /** Called by cordova.js to initialize the bridge. */
    //On old Androids SecureRandom isn't really secure, this is the least of your problems if
    //you're running Android 4.3 and below in 2017

Conclusion: you should either make a note about this and accept the existence of this insecure method to support old Android versions, or you should take action. Taking action could include: not use Cordova, open an issue in Cordova's bug tracker, or edit the Java file yourself.