All geek questions in one place

Looking for Android source code?

People in the Bitcoin wallet claim to have a defect in the Android SecureRandom class that made them suffer from a crypto flaw. For example, from a message:

It seems, at least, sometimes PRNG on Java Android will repeat its pseudo-random sequences, due to the lack of Android's so-called SecureRandom Java class.

The problem is that there is no specific reference to the disadvantage of PRNG. And the quotes appear circular - a bunch of people referring to each other.

Android sources are available at https://android.googlesource.com/ . I would like to see the source code and changes in the Android SecureRandom class.

How to search this site? Can't I find the search box anywhere?

+4
source share
3 answers

The problem is that there is no specific reference to a PRNG defect.

Google posted a blog about this today , including some workarounds.

How is this done when searching on this site? Can't I find the search box anywhere?

You cannot, right.

You can use Android XRef .

Or you can use github .

Or you can install the Roman Nurik Chrome extension, which adds source code links to all JavaDocs.

Or you can download the source code and use grep .

+9
source

You can always use the advanced search: http://www.google.ca/advanced_search

Just using site:https://android.googlesource.com/ secureRandom gave: https://android.googlesource.com/platform/libcore/+/57656d21f772aacbe0d05e54b1274f4c58993a52/luni/src/main/java/java/security/Secureandom

+2
source

git log -p and grep are your friends :) A blog post does not indicate an actual flaw, so it is not very useful. Although the details have not been officially published, it seems that the problem is that all applications start with the same PRNG state (since they are forked from zygote ) and "random" sequences will be repeated if they run with the same PID, as before.

POC here:

https://gist.github.com/nelenkov/581f9be65dcc0b6b35b9

As long as there are messages for Nexus device updates, corrections (a) have not yet been tied to AOSP, so there is a (small) possibility that this does not fully correspond to the value.

+1
source

Source: https://habr.com/ru/post/1497137/

More articles:


All Articles