Add MASTG-TEST-0063: Testing Random Number Generation (iOS) #3521
Conversation
…ion testing Co-authored-by: cpholguera <[email protected]>
…SPRNG, SecRandomCopyBytes, and Swift's random APIs
… scripts, and improve output handling
There was a problem hiding this comment.
Pull Request Overview
This PR adds comprehensive MASTG v2 test coverage for detecting insecure random number generation on iOS, addressing issue #3349.
Key Changes:
- New static analysis test (MASTG-TEST-xx63) for detecting insecure random APIs (
rand,srand,drand48) - Comprehensive knowledge article (MASTG-KNOW-0070) explaining iOS random number generation APIs
- Two demos: radare2-based static detection (MASTG-DEMO-0063) and frida-trace runtime monitoring (MASTG-DEMO-0064)
- Best practices guide (MASTG-BEST-00x1) recommending secure random APIs
- Deprecation of old v1 test with reference to new version
Reviewed Changes
Copilot reviewed 14 out of 14 changed files in this pull request and generated 13 comments.
Show a summary per file
| File | Description |
|---|---|
| tests/ios/MASVS-CRYPTO/MASTG-TEST-0063.md | Marks v1 test as deprecated and references new v2 test |
| tests-beta/ios/MASVS-CRYPTO/MASTG-TEST-xx63.md | New v2 static test for insecure random API detection, maps to MASWE-0027 |
| knowledge/ios/MASVS-CRYPTO/MASTG-KNOW-0070.md | Comprehensive documentation of iOS random number generation including secure/insecure APIs with code examples |
| demos/ios/MASVS-CRYPTO/MASTG-DEMO-0063/ | Static analysis demo using radare2 to detect insecure random function calls with Swift sample code |
| demos/ios/MASVS-CRYPTO/MASTG-DEMO-0064/ | Dynamic analysis demo using frida-trace to monitor random API usage at runtime |
| best-practices/MASTG-BEST-00x1.md | Best practices guide for using secure random number generators on iOS |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| - In Flutter or Dart use [`Random.secure()`](https://api.flutter.dev/flutter/dart-math/Random/Random.secure.html), which is documented as cryptographically secure. It reaches `SecRandomCopyBytes` through [the platform integration layers](https://github.com/dart-lang/sdk/blob/47e77939fce74ffda0b7252f33ba1ced2ea09c52/runtime/bin/crypto_macos.cc#L16). See [this article](https://www.zellic.io/blog/proton-dart-flutter-csprng-prng/) for a security review. | ||
| - In React Native use a library such as [`react-native-secure-random`](https://github.com/robhogan/react-native-securerandom) or [`react-native-get-random-values`](https://github.com/LinusU/react-native-get-random-values), which internally calls `SecRandomCopyBytes` on iOS. |
There was a problem hiding this comment.
Missing punctuation in list items: According to the guidelines, list items that are complete sentences should end with periods. These list items are complete sentences and should have periods at the end.
| - `rand` and `srand`, which expose the insecure libc PRNG. | ||
| - `drand48`, which also uses an insecure linear congruential generator. |
There was a problem hiding this comment.
Missing punctuation in list items: According to the guidelines, list items that are complete sentences should end with periods. These list items are complete sentences and should have periods at the end.
|
|
||
| ### Sample | ||
|
|
||
| The following sample demonstrates various methods of generating random tokens, and contrasts insecure and secure approaches. It includes |
There was a problem hiding this comment.
Incomplete sentence: The paragraph ends with "It includes" but doesn't complete the thought before starting the list. Either complete the introductory sentence (e.g., "It includes:") or rephrase to make it a complete sentence. Per the guidelines, introductory sentences before lists should be complete.
| profiles: [L1, L2] | ||
| status: deprecated | ||
| covered_by: [MASTG-TEST-xx63] | ||
| deprecation_note: New version available in MASTG V2 |
There was a problem hiding this comment.
Inconsistent capitalization: "MASTG V2" should be "MASTG v2" (lowercase 'v') to maintain consistency with how version numbers are typically written.
| deprecation_note: New version available in MASTG V2 | |
| deprecation_note: New version available in MASTG v2 |
| - Insecure methods using libc `rand`, `srand`, and `drand48` | ||
| - Other secure methods such as direct reads from `/dev/random`, `arc4random`, `arc4random_uniform`, `SystemRandomNumberGenerator`, and `CCRandomGenerateBytes` | ||
| - A preferred secure method using `SecRandomCopyBytes` |
There was a problem hiding this comment.
Missing punctuation in list items: According to the guidelines, list items that complete the introductory sentence should have punctuation. These list items should end with commas (except the last) or be reformatted as complete sentences with periods.
best-practices/MASTG-BEST-00x1.md
Outdated
| - **Security Framework (preferred)**: Use the [`SecRandomCopyBytes`](https://developer.apple.com/documentation/security/secrandomcopybytes(_:_:_:)) API from the Security framework, which produces cryptographically secure random bytes backed by the system CSPRNG. | ||
| - **CommonCrypto**: You _could_ use `CCRandomCopyBytes` or `CCRandomGenerateBytes` (not documented on the Apple Developers website), which are also backed by the system CSPRNG. However, prefer `SecRandomCopyBytes` which is a wrapper around these functions. | ||
| - **Swift Standard Library**: You can use the Swift Standard Library `.random` APIs which are backed by `SystemRandomNumberGenerator`. However, note that their random number generator can be customized, so ensure you use the default `SystemRandomNumberGenerator` (e.g., by not specifying a custom generator) or a secure alternative (ensure it is cryptographically secure). | ||
| - ***CryptoKit**: CryptoKit doesn't expose a direct random byte generator, but it provides secure random nonces and keys through its cryptographic operations, which are backed by the system CSPRNG. For example, you can use `SymmetricKey` for keys and `AES.GCM.Nonce` for nonces without needing to manage raw random bytes directly. |
There was a problem hiding this comment.
Missing punctuation in list items: According to the guidelines, list items that are complete sentences should end with periods. These list items appear to be complete sentences and should have periods at the end.
Co-authored-by: Copilot <[email protected]>
…tation and streamline output descriptions
…ithub.com/OWASP/owasp-mastg into copilot/add-random-number-generation-test
![github-actions[bot]](https://avatars.githubusercontent.com/in/15368?s=60&v=4){kind=small}
| @@ -0,0 +1,72 @@ | |||
| --- | |||
There was a problem hiding this comment.
⚠️ Duplicate MASTG-DEMO ID Detected
This file has the ID MASTG-DEMO-0063 which already exists in demos/android/MASVS-PLATFORM/MASTG-DEMO-0063/MASTG-DEMO-0063.md.
IMPORTANT: Please use the next available ID: MASTG-DEMO-0068
| @@ -0,0 +1,38 @@ | |||
| --- | |||
There was a problem hiding this comment.
⚠️ Duplicate MASTG-DEMO ID Detected
This file has the ID MASTG-DEMO-0064 which already exists in demos/android/MASVS-STORAGE/MASTG-DEMO-0064/MASTG-DEMO-0064.md.
IMPORTANT: Please use the next available ID: MASTG-DEMO-0069
This PR closes #3349
Description
Adds MASTG v2 test and demo for detecting insecure random number generation in iOS apps.
Changes
Test:
tests-beta/ios/MASVS-CRYPTO/MASTG-TEST-0063.mdrand,random,srand,srandom)Demo:
demos/ios/MASVS-CRYPTO/MASTG-DEMO-0063/rand()/srand()) vs secure (SecRandomCopyBytes)Dynamic analysis omitted per issue requirements.
[x] I have read the contributing guidelines.
Original prompt
💡 You can make Copilot smarter by setting up custom instructions, customizing its development environment and configuring Model Context Protocol (MCP) servers. Learn more Copilot coding agent tips in the docs.