I am currently building a flutter app which went ahead for security testing. In the security testing an issue was raised related to geolocator package in flutter which after decompiling the code was showing a java.util.Random class was used and that this class makes the random Number Generation cryptographically weak.
Their recommendation was to use java.security.SecureRandom class for random number generation.
Is there any other package other then geolocator that uses java.security.SecureRandom class for random number generation or can this be fixed?
Thank you for help in advance
I am the creator and maintainer of the geolocator Flutter package. Thank you for posting this and making me aware of this issue.
I have just updated and released an updated version of the geolocator_android package (version 3.2.1) which replaces the use of the java.util.Random
class with the java.security.SecureRandom
class. Although the random number generated is not used in any secure related manner (we just generate a random identifier to use as activity request identifier).
To resolve the issue described above, please update the Flutter dependencies. The geolocator_android package is a dependency of the main geolocator dependency. So depending on the geolocator package will automatically download the geolocator_android package.
To update dependencies run the flutter pub update
command. If you want to check the version being used, open up the pubspec.lock
file and search for the geolocator_android
entry.
If you really want to enforce the usage of version 3.2.1 of the geolocator_android package you could add a separate dependency to your pubspec.yaml
file like so:
dependencies:
geolocator: ^8.2.1
geolocator_android: ^3.2.1