14

Which mobile OS's provide a primitive to generate crypto-quality randomness that applications can use?

On desktop systems, these features are pervasive. Unix provides /dev/urandom. Windows provides CryptGenRandom. Do mobile OS's provide something like this? Do they provide any support so that developers don't have to write their own code to collect entropy from multiple sources and combine it to get a seed? (That's something that's error-prone and non-trivial for developers, so I'm looking for support from the platform -- whether it's the OS, or libraries, or something else.)

I would welcome answers that specify a mobile OS, whether it does/does not provide this support, and if yes, what the interface for developers to use is.

AviD
  • 72,138
  • 22
  • 136
  • 218
D.W.
  • 98,420
  • 30
  • 267
  • 572

5 Answers5

14

iOS on iPhone provides entropy from all standard inputs like accelerometers, compass, radio baseband, as well as from certain parts of the circuitry which picks up interference at all levels. Random bits are available to app developers via the SecRandomCopyBytes() function.

I don't have info on other platforms.

Rory Alsop
  • 61,367
  • 12
  • 115
  • 320
  • This time you get the "what I would have said" +1. –  Feb 15 '11 at 12:01
  • @Graham - it helped I just had dinner with 2 Apple security folks, and the guy who was in charge of iPhone hardware development on Sunday and it was one of the questions I asked them:-) – Rory Alsop Feb 15 '11 at 16:47
  • @Rory, thanks for the comment. I must confess I found your answer a bit ambiguous. Does iOS expose an easy-to-use interface to the developer to get crypto-quality random numbers? (e.g., by collecting all this entropy, combining it to get a good seed, running it through a crypto-quality PRNG, etc.) Or are you saying that all these sources of entropy are present on iOS, and a developer could write his/her own code to do all that? If iOS does provide it, do you know what interface developers can use to obtain crypto-quality random numbers? – D.W. Feb 15 '11 at 18:25
  • @D.W. I don't know the detail but I will go and ask and update my post when I know. – Rory Alsop Feb 15 '11 at 18:42
  • In iOS, the Certificate, Key, and Trust Services API provides crypto services, but not cryptographic primitives as low-level as strong psuedorandom numbers. The full CDSA API available in OSX does, but on the iPhone you're going to have to either DIY or make Thomas Ptacek happy and Don't Implement Crypto. – user502 Feb 17 '11 at 17:59
  • 2
    On iOS you use the SecRandomCopyBytes() function to get crypto-strong random numbers from /dev/random. You can't access /dev/random directly. –  Feb 18 '11 at 10:29
  • Yep - also it looks like some of the inputs are smoothed in circuitry before they feed in to the /dev/random so there is a little less randomness than might be expected. – Rory Alsop Feb 18 '11 at 14:50
  • @RoryAlsop I have been trying to find a definitive source (read: Apple) which says for a fact that accelerometers, compass, radio baseband, etc. contribute to entropy. The documentation for `SecRandomCopyBytes()` mentions no such thing. Could you tell me where you read this? – Chaitanya Gupta Sep 19 '13 at 13:48
  • I didn't read it. As I said in my first comment above, it was directly from the Apple hardware dev folks. – Rory Alsop Sep 19 '13 at 13:52
7

Android provides java.util.SecureRandom in its Java-based API, which is supposed to be a cryptographically secure PRNG, feeding on whatever the base platform provides as source of robust alea. Android is based upon a Linux kernel, so chances are that there is a /dev/urandom of some kind.

Similarly, Nokia's Maemo and its successor MeeGo, being Linux-based, offer a /dev/urandom.

Thomas Pornin
  • 320,799
  • 57
  • 780
  • 949
  • 1
    /dev/urandom does seem to be there on Android, but oddly, java/org/apache/harmony/security/provider/crypto/SHA1_Data.java says: "/dev/random seems to be empty on Android". I suggest some real testing. And here is the doc for: [SecureRandom | Android Developers](http://developer.android.com/reference/java/security/SecureRandom.html) – nealmcb Feb 15 '11 at 01:04
  • 1
    Android's SecureRandom turns out not to be so secure. http://www.theguardian.com/technology/2013/aug/15/google-android-bitcoin-securerandom-vulnerability – Micah Winkelspecht Aug 20 '13 at 20:37
  • 1
    This drop-in replacement should be used to fix SecureRandom in any application relying a proper RNG: http://android-developers.blogspot.de/2013/08/some-securerandom-thoughts.html – lxgr Sep 04 '13 at 13:03
  • This is super old, but Android provides access to both `/dev/random` and `/dev/urandom`. – Schism May 09 '14 at 23:33
6

Blackberry OS provides net.rim.device.api.crypto.RandomSource to signed apps. It harvests randomness from various sources on the device, just like the iOS RNG. Note that the crypto package also contains various PRNG classes, which are not cryptographically random.

5

To complete the picture: Silverlight and XNA both offer the usual .NET System.Security.Cryptography, which includes RNGCryptoServiceProvider. Therefore that class can be used on Windows Phone 7. The documentation says this offers cryptographically-strong randomness, but doesn't explain how this is ensured.

2

Symbian mobile OS also provides a crypto-quality RNG, as described here.

Thanks to John Kemp, who provided this information.

D.W.
  • 98,420
  • 30
  • 267
  • 572