Use of Insufficiently Random Values

[Shebuka]

Steps to reproduce

1. Use a static analyzer (like MobSF) on an exported ipa that uses SSZipArchive

Expected behavior

No report

Actual behavior

Binary makes use of the insecure Random function(s)

• CWE: CWE-330: Use of Insufficiently Random Values
• OWASP Top 10: M5: Insufficient Cryptography
• OWASP MASVS: MSTG-CRYPTO-6

The binary may use the following insecure Random function(s) _random , _srand

Version of ZipArchive

Any

Problem

minzip uses insecure srand and random if none of the advanced random functions are defined to be available

Solution

Add HAVE_ARC4RANDOM_BUF or HAVE_ARC4RANDOM to GCC_PREPROCESSOR_DEFINITIONS

[Coeur]

Well, it may be an issue with the static analyzer?
Sure, without HAVE_ARC4RANDOM_BUF, then mz_os_rand would be using rand() instead of arc4random_buf... but since MZ_ZIP_NO_CRYPTO is not defined, mz_os_rand is never actually used. Instead, it's SecRandomCopyBytes that is being used:

ZipArchive/SSZipArchive/minizip/mz_crypt_apple.c

Lines 22 to 23 in 79d4dc9

	int32_t mz_crypt_rand(uint8_t *buf, int32_t size) {
	if (SecRandomCopyBytes(kSecRandomDefault, size, buf) != errSecSuccess)

So we could declare HAVE_ARC4RANDOM_BUF to workaround the analyzer erroneous analysis, but there are no insufficiently random values presently in ZipArchive.