Security issue on Android < 4.4 #25
Comments
|
Thank you for bringing this to my attention. I agree this affects JNCryptor and I'll immediately look into mitigation. |
|
Has any work done on this? I'd love to use this library in LDLN's Android client without a disclaimer on it that devices have to be 4.4+. Perhaps we (at LDLN) could help look into nice ways of implementing this fix if it's not been started yet... |
|
Looking at the linked blog post, there is what seems to be a reasonable mitigation available by seeding the PRNG. Is there a problem with the code in that blog post? |
colemarkham
added a commit
to colemarkham/JNCryptor
that referenced
this issue
Feb 22, 2016
colemarkham
added a commit
to colemarkham/JNCryptor
that referenced
this issue
Feb 22, 2016
|
I've decided not to address Android issues within this project. I don't have the means to test fixes, so this remains a pure Java implementation. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
See http://android-developers.blogspot.com/2013/08/some-securerandom-thoughts.html
Since this library appears to be directly using numbers from a default-initialized
SecureRandom, it should not be used on Android versions below 4.4 without a separate intialization step.Either the fix should be applied in the code here where applicable (via reflection, probably, to avoid borking non-Android environments), or there should be a big disclaimer and a minimum Android recommendation of 4.4 rather than 2.3.3 for using this library.
The text was updated successfully, but these errors were encountered: