DerScanner
Home / Vulnerability Database / Swift : Weak random number generator
Swift

Swift : Weak random number generator

Classification

OWASP Mobile Top 10 2014
M6-Broken Cryptography
OWASP Mobile Top 10 2016
M5-Insufficient Cryptography
OWASP MASVS
V3: 3.6.(L1/L2/L1+R/L2+R)V8: 8.13.(L1+R/L2+R)
OWASP ASVS
Stored CryptographyStored CryptographyStored CryptographyStored CryptographyAuthentication
PCI DSS 4.0
3.6.16.2.48.3.2
HIPAA
§164.312 (a)(2)(iv)
CWE
CWE-330CWE-338

Overview

The pseudorandom number generator (PRNG) used in the example is not secure since it generates predictable sequences. This can be exploited to bypass authentication and hijack the user’s session, as well as to carry out the DNS cache poisoning attack.

PRNGs generate number sequences based on the initial value of the seed. There are two types of PRNG: statistical and cryptographic. Statistical PRNGs generate predictable sequences, which are similar to random according to the statistical characteristics. They should not be used for security purposes. The result of the cryptographic PRNG, on the contrary, is impossible to predict if the seed value is derived from a source with high entropy. The value of the current time has a small entropy and is also insecure as a seed.

Insufficient Cryptography vulnerabilities take the fifth place in the “OWASP Top 10 2016” mobile application vulnerabilities ranking.

References

  1. Generate cryptographically secure random numbers. (Apple Inc.) / developer.apple.com
  2. OWASP: Insecure randomness
  3. CWE-330: Use of Insufficiently Random Values
  4. Mobile Top 10 2016-M5-Insufficient Cryptography
  5. CWE-338: Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG)
MEDIUM

DerScanner Severity Score

Do you want to fix Swift : Weak random number generator in your application?

See also

Swift

Swift : Nill password

Swift

Swift : Hardcoded salt

Swift

Swift : Undocumented feature: special account