You are viewing a plain text version of this content. The canonical link for it is here.

Posted to commits@cordova.apache.org by GitBox <gi...@apache.org> on 2019/01/31 14:38:21 UTC

[GitHub] brodybits commented on issue #638: MOBILE TOP 10: M5-INSUFFICIENT CRYPTOGRAPHYMOBILE

brodybits commented on issue #638: MOBILE TOP 10: M5-INSUFFICIENT CRYPTOGRAPHYMOBILE
URL: https://github.com/apache/cordova-android/issues/638#issuecomment-459367324
 
 
   Thanks for reporting. In general security reports should be sent *privately* to <pr...@cordova.apache.org> or <se...@apache.org>.
   
   Here is my response:
   
   The linked article seems to be over 5 years old.
   
   I would not expect this to be an issue with newer Android OS versions: <https://github.com/apache/cordova-android/blob/7b17abc5553ca14f69081a2175f787d4a0550f0f/framework/src/org/apache/cordova/CordovaBridge.java#L114-L116>
   
   Note that support for Android 4.3 was already dropped: <https://cordova.apache.org/docs/en/latest/guide/platforms/android/#requirements-and-support>
   
   I do think it would be better if we would use a 20-byte byte array instead of a random integer as described in the following articles:
   - https://developer.android.com/reference/java/security/SecureRandom
   - https://tersesystems.com/blog/2015/12/17/the-right-way-to-use-securerandom/
   
   Some more resources:
   - https://stackoverflow.com/questions/25817133/does-the-android-implementation-of-securerandom-produce-true-random-numbers
   - https://android-developers.googleblog.com/2016/06/security-crypto-provider-deprecated-in.html
   - https://android-developers.googleblog.com/2013/08/some-securerandom-thoughts.html (the article linked in the description)
   - other results of https://www.google.com/search?q=android+secure+random

----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on GitHub and use the
URL above to go to the specific comment.
 
For queries about this service, please contact Infrastructure at:
users@infra.apache.org


With regards,
Apache Git Services

---------------------------------------------------------------------
To unsubscribe, e-mail: commits-unsubscribe@cordova.apache.org
For additional commands, e-mail: commits-help@cordova.apache.org