Menu
I ran a security test via the ImmuniWeb tool on my Android app APK. One of the observations the tool made was that one of the app components uses a predictable random number generator. It further said:
Under certain conditions, this weakness may jeopardize mobile application data encryption or other protection based on randomization. For example, if encryption tokens are generated inside of the application and an attacker can provide the application with a predictable token to validate and then execute a sensitive activity within the application or its backend.
Example of insecure code: Random random = new Random()
Example of secure code: SecureRandom random = new SecureRandom()
There is 'new Random()' found in file 'kotlinx/coroutines/scheduling/CoroutineScheduler.java'
There is 'new Random()' found in file 'kotlin/random/FallbackThreadLocalRandom$implStorage$1.java'
The app heavily uses Kotlin coroutines so I am not in a position to remove the library. My doubt is how do I avoid this vulnerability? Can I do something about it? Lastly, if this really is a valid risky code, can we report and expect Kotlin to push an update to fix it?
701
I agree with @Morrison Chang . I don't think the coroutine scheduling code needs to be cryptographically secure either.
That logic isn't doing something like creating initialisation vectors for a block cipher etc. so it ought to be fine...
57
answered Jan 26 '26 00:01
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
