MASTG-TEST-0063: Testing Random Number Generation

Deprecated Test

This test isdeprecated and should not be used anymore.Reason: New version available in MASTG V2

Please check the following MASTG v2 tests that cover this v1 test:

Insecure Random API Usage

Overview¶

Static Analysis¶

In Swift, theSecRandomCopyBytes API is defined as follows:

func SecRandomCopyBytes(_ rnd: SecRandomRef?,                      _ count: Int,                      _ bytes: UnsafeMutablePointer<UInt8>) -> Int32

TheObjective-C version is

intSecRandomCopyBytes(SecRandomRefrnd,size_tcount,uint8_t*bytes);

The following is an example of the APIs usage:

intresult=SecRandomCopyBytes(kSecRandomDefault,16,randomBytes);

Note: if other mechanisms are used for random numbers in the code, verify that these are either wrappers around the APIs mentioned above or review them for their secure-randomness. Often this is too hard, which means you can best stick with the implementation above.

Dynamic Analysis¶

If you want to test for randomness, you can try to capture a large set of numbers and check withBurp's sequencer plugin to see how good the quality of the randomness is.

Movatterモバイル変換

MASTG-TEST-0063: Testing Random Number Generation

Overview¶

Static Analysis¶

Dynamic Analysis¶