DerScanner
Home / Vulnerability Database / Objective-C : Weak random number generator
Objective-C

Objective-C : Weak random number generator

Classification

OWASP Mobile Top 10 2014
M6-Broken Cryptography
OWASP Mobile Top 10 2016
M5-Insufficient Cryptography
OWASP MASVS
V3: 3.6.(L1/L2/L1+R/L2+R)V8: 8.13.(L1+R/L2+R)
OWASP ASVS
Stored CryptographyStored CryptographyStored CryptographyStored CryptographyAuthentication
PCI DSS 4.0
3.6.16.2.48.3.2
HIPAA
§164.312 (a)(2)(iv)
CWE
CWE-330CWE-338

Overview

Used pseudorandom number generator (PRNG) is not secure since it generates predictable sequences. This can be exploited to bypass authentication and hijack the user’s session, as well as to carry out the DNS cache poisoning attack.

PRNGs generate number sequences based on the initial value of the seed. There are two types of PRNG: statistical and cryptographic. Statistical PRNGs generate predictable sequences, which are similar to random according to the statistical characteristics. They may not be used for security purposes. The result of the cryptographic PRNG, on the contrary, is impossible to predict if the value of seed is derived from a source with high entropy. The value of the current time has a small entropy and is also insecure as a seed.

Insufficient Cryptography vulnerabilities take the fifth place in the “OWASP Top 10 2016” mobile application vulnerabilities ranking.

References

  1. OWASP: Insecure randomness
  2. CWE-330: Use of Insufficiently Random Values
  3. CERT: MSC02-J. Generate strong random numbers
  4. Generating Random Numbers - developer.apple.com
  5. Mobile Top 10 2016-M5-Insufficient Cryptography
  6. CWE-338
MEDIUM

DerScanner Severity Score

Do you want to fix Objective-C : Weak random number generator in your application?

See also

Objective-C

Objective-C : Internal information leak

Objective-C

Objective-C : Weak hashing algorithm

Objective-C

Objective-C : Unsafe reflection