You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
We have created a mobile app from ionic Cordova framwork and did a scan from WhiteHat Scan. It gives us following issue:
Applications which use the Java Cryptography Architecture (JCA) for key generation, signing, or random number generation may not receive cryptographically strong values on Android devices due to improper initialization of the PRNG (pseudo-random number generator). Applications that directly invoke the system-provided OpenSSL PRNG without explicit initialization on Android are also affected.
The application was found to be vulnerable because of issues related to the SecureRandom implementation. A static value is used each time the SecureRandom variable is created, which means that the results are not randomized on each individual instance. The code locations provided in the table below were identified as being the cause for the current risk status. It is encouraged to review these locations to determine if the violation occurred in an internal or external library. If the issue was found in an external library, it is not possible to determine if the affected portion of code is being triggered from the application's Java source code. In this case, it may not be possible to locate and resolve this issue.
And Details for the issue are as:
Signature: ()Ljavax/net/ssl/SSLSocketFactory;
Class: Lcom/github/kevinsawicki/http/HttpRequest;
Method: getTrustedFactory
RECOMMENDATION
To avoid being vulnerable to Secure Random, ensure that you properly initialize the underlying pseudo-random number generator.
Developers who use JCA for key generation, signing or random number generation should explicitly initialize the PRNG with entropy from /dev/urandom or /dev/random. Also, developers should evaluate whether to regenerate cryptographic keys or other random values previously generated using JCA APIs such as SecureRandom, KeyGenerator, KeyPairGenerator, KeyAgreement, and Signature.
A suggested implementation is provided here
The text was updated successfully, but these errors were encountered:
We have created a mobile app from ionic Cordova framwork and did a scan from WhiteHat Scan. It gives us following issue:
And Details for the issue are as:
Signature: ()Ljavax/net/ssl/SSLSocketFactory;
Class: Lcom/github/kevinsawicki/http/HttpRequest;
Method: getTrustedFactory
RECOMMENDATION
To avoid being vulnerable to Secure Random, ensure that you properly initialize the underlying pseudo-random number generator.
Developers who use JCA for key generation, signing or random number generation should explicitly initialize the PRNG with entropy from /dev/urandom or /dev/random. Also, developers should evaluate whether to regenerate cryptographic keys or other random values previously generated using JCA APIs such as SecureRandom, KeyGenerator, KeyPairGenerator, KeyAgreement, and Signature.
A suggested implementation is provided here
The text was updated successfully, but these errors were encountered: