Security issue on Android < 4.4

[ysamlan]

See http://android-developers.blogspot.com/2013/08/some-securerandom-thoughts.html

Since this library appears to be directly using numbers from a default-initialized SecureRandom, it should not be used on Android versions below 4.4 without a separate intialization step.

Either the fix should be applied in the code here where applicable (via reflection, probably, to avoid borking non-Android environments), or there should be a big disclaimer and a minimum Android recommendation of 4.4 rather than 2.3.3 for using this library.

[dmjones]

Thank you for bringing this to my attention. I agree this affects JNCryptor and I'll immediately look into mitigation.

[mr-z-ro]

Has any work done on this? I'd love to use this library in LDLN's Android client without a disclaimer on it that devices have to be 4.4+. Perhaps we (at LDLN) could help look into nice ways of implementing this fix if it's not been started yet...

[rnapier]

Looking at the linked blog post, there is what seems to be a reasonable mitigation available by seeding the PRNG. Is there a problem with the code in that blog post?

[dmjones]

I've decided not to address Android issues within this project. I don't have the means to test fixes, so this remains a pure Java implementation.