Insecure Random Number Generator in ActivityResultRegistry [272096025]

Fixed

Bug

Status Update

No update yet.

Description

we...@salesforce.com

created issue #1

Mar 8, 2023 03:30PM

Hello, in a security audit we found an instance of insecure Random Number Generator.

File androidx/activity/result/ActivityResultRegistry.java near line 25:

This is the report we got:
Category Cryptography and Insecure Storage
Testing Method Black Box
Tools Used Apktool, dex2jar, jd-gui

Component used: Activity

Version used: 1.8

Devices/Android versions reproduced on: Android api 31.

If this is a bug in the library, we would appreciate if you could attach:
- Sample project to trigger the issue.
- A screenrecord or screenshots showing the issue (if UI related).

Wed Mar 08 2023 12:29:47 GMT-0300 (Argentina Standard Time).png

35 KB

View

Download

Comments

jb...@google.com <jb...@google.com> Mar 9, 2023 12:01AM

Assigned to jb...@google.com.

ap...@google.com <ap...@google.com> #2Mar 9, 2023 01:52AM

Please include a sample project that reproduces your issue.

il...@google.com <il...@google.com> #3Mar 9, 2023 05:44PM

Marked as fixed.

Sample project attached. Just add to plain project this dependencies allow to reproduce.

def emoji2_version = "1.1.0-beta01"
implementation "androidx.emoji2:emoji2:$emoji2_version"

def lifecycle_version = "2.5.0-alpha01"
implementation "androidx.lifecycle:lifecycle-process:$lifecycle_version"

we...@salesforce.com <we...@salesforce.com> #4Mar 10, 2023 11:45AM

The reason may be related to this change, which check itself before it is initialized. Use 2.4.0 of lifecycle-process as workaround.

Issue 272096025

Description

Issue summary

Comments

jb...@google.com <jb...@google.com> Mar 9, 2023 12:01AM

ap...@google.com <ap...@google.com> #2Mar 9, 2023 01:52AM

il...@google.com <il...@google.com> #3Mar 9, 2023 05:44PM

we...@salesforce.com <we...@salesforce.com> #4Mar 10, 2023 11:45AM

Add comment

Issue metadata