Fixed
Status Update
Comments
jb...@google.com <jb...@google.com>
ap...@google.com <ap...@google.com> #2
Project: platform/frameworks/support
Branch: androidx-main
commit ee611fb1b35bcc2db1cc1de75de732434304c4a9
Author: Jeremy Woods <jbwoods@google.com>
Date: Wed Mar 08 16:00:33 2023
Change ActivityResultRegistry to use Kotlin Random
Use the Kotlin Random instead of Java.
Test: all existing tests pass
Bug: 272096025
Change-Id: I4d98f4bc5a36b35fea026f716db45efa74078af8
M activity/activity/src/main/java/androidx/activity/result/ActivityResultRegistry.java
https://android-review.googlesource.com/2478830
Branch: androidx-main
commit ee611fb1b35bcc2db1cc1de75de732434304c4a9
Author: Jeremy Woods <jbwoods@google.com>
Date: Wed Mar 08 16:00:33 2023
Change ActivityResultRegistry to use Kotlin Random
Use the Kotlin Random instead of Java.
Test: all existing tests pass
Bug: 272096025
Change-Id: I4d98f4bc5a36b35fea026f716db45efa74078af8
M activity/activity/src/main/java/androidx/activity/result/ActivityResultRegistry.java
il...@google.com <il...@google.com> #3
While ActivityResultRegistry
's use of Random has no relevance to cryptography or security, we've moved to Kotlin's Random API. This will be available in Activity 1.8.0-alpha03.
we...@salesforce.com <we...@salesforce.com> #4
Thank you all for the resolution! Have a great day.
Description
Hello, in a security audit we found an instance of insecure Random Number Generator.
File androidx/activity/result/ActivityResultRegistry.java near line 25:
This is the report we got:
Category Cryptography and Insecure Storage
Testing Method Black Box
Tools Used Apktool, dex2jar, jd-gui
Component used: Activity
Version used: 1.8
Devices/Android versions reproduced on: Android api 31.
If this is a bug in the library, we would appreciate if you could attach:
- Sample project to trigger the issue.
- A screenrecord or screenshots showing the issue (if UI related).