0

running gradle build on an android project or module yields the following lint report entry: Potentially insecure random numbers on Android 4.3 and older. Read https://android-developers.blogspot.com/2013/08/some-securerandom-thoughts.html for more info.

This provides an easy to implement patch for said issue. But I'm wondering if it needs to be applied, given that it's 5 years old, or can this be ignored?

Thanks

Justin
  • 11
  • 1

1 Answers1

0

That depends on whether your app must support Android versions 4.3 and earlier, as well as why you are using SecureRandom in your app (e.g., for information security or secure communications), and the security risk of not using the fix suggested at that page to patch uses of SecureRandom in your app in older versions. Note, however, that according to the Distribution Dashboard, only about 3.5% of Android devices that recently visited the Google Play store ran version 4.3 and earlier. This percentage will likely be less for your app if the minSdkVersion is higher than 10, and this percentage will likely dwindle as time goes by.

Peter O.
  • 32,158
  • 14
  • 82
  • 96
  • Thanks Peter. So from what you are saying, the vulnerability is still present for devices <= 4.3. I was wondering if after 5 years it would have been fixed for all platforms, but I guess not. Thank you. – Justin Mar 13 '19 at 23:31
  • I'm not implying that the SecureRandom vulnerability wasn't patched in versions 4.3 and earlier. It might have been, but Android security bulletins (which describe which vulnerabilities were fixed) go back only to August 2015. Also, most operating system patches to Android devices are not managed by Google or by the Android developers, but by the device manufacturers themselves. – Peter O. Mar 13 '19 at 23:37