Android applications that use Java Cryptography Architecture for key generation, signing or random number generation might not receive cryptographically strong values due to improper initialization of the underlying Pseudo Random Number Generator.
CVEID: CVE-2013-5391 **DESCRIPTION: **A vulnerability exists in the Android operating system where the pseudo random number generator (PRNG) is not properly initialized. As a result of this vulnerability, Worklight programs on Android that use the Java Cryptography Architecture (JCA) for key generation, signing, or random number generation might not receive cryptographically strong values.
This issue affects IBM Worklight customer applications on Android that make use of JSONStore local data storage with encryption enabled and have initialized the JSONStore collection using the ‘{localKeyGen: true}’ option. It can also affect IBM Worklight applications on Android if the customer application logic makes use of the JCA functions that are previously described.
CVSS Base Score: 3.5
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/87128> for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:M/Au:S/C:P/I:N/A:N)
This issue is tracked using APAR PI06709. The fix is included in the following product versions:
IBM Worklight applications on Android that make use of JSONStore local data storage with encryption enabled and have initialized the JSONStore collection using the ‘{localKeyGen: true}’ option can be updated to avoid using the ‘{localKeyGen: true}’ option.
Alternatively, you can update applications to implement the fix that is suggested by Google in their Some SecureRandom Thoughts blog posting.