使用Java.security.securerandom class flutter中的Geolocator套件的替代方案
我目前正在构建一个颤抖的应用程序,该应用程序进行了安全测试。 在安全性测试中,提出了与扑朔迷离的Geolocator软件包相关的问题,该扑面而会后,使用了代码后显示了Java.util.random类,并且该类使随机数生成的密码在地表上较弱。
他们的建议是使用java.security.securerandom类作为随机数 一代。
是否还有其他其他软件包,该软件包与Geolocator一起使用Java.security.securerandom类用于随机数的生成,还是可以解决此问题?
谢谢您提前的帮助
I am currently building a flutter app which went ahead for security testing.
In the security testing an issue was raised related to geolocator package in flutter which after decompiling the code was showing a java.util.Random class was used and that this class makes the random Number Generation cryptographically weak.
Their recommendation was to use java.security.SecureRandom class for random number
generation.
Is there any other package other then geolocator that uses java.security.SecureRandom class for random number generation or can this be fixed?
Thank you for help in advance
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(1)
我是Geolocator Flutter包装的创建者和维护者。感谢您发布此问题并让我意识到这个问题。
我刚刚更新并发布了geolocator_android软件包(版本3.2.1)的更新版本,该版本取代了使用
java.util.random.randomclass与java.security.securerity.securerandom 类。尽管生成的随机数没有以任何安全相关的方式使用(我们只是生成一个随机标识符,以用作活动请求标识符)。要解决上述问题,请更新扑动依赖性。 GeoloCator_Android软件包是主要地理依赖性依赖性的依赖性。因此,根据Geolocator软件包,将自动下载GeoloCator_Android软件包。
要更新依赖项运行
flutter Pub更新命令。如果要检查所使用的版本,请打开pubspec.lock文件,然后搜索geolocator_android条目。如果您确实想强制执行GeoloCator_Android软件包的3.2.1版本的使用情况,则可以向您的
pubspec.yaml文件添加单独的依赖项。I am the creator and maintainer of the geolocator Flutter package. Thank you for posting this and making me aware of this issue.
I have just updated and released an updated version of the geolocator_android package (version 3.2.1) which replaces the use of the
java.util.Randomclass with thejava.security.SecureRandomclass. Although the random number generated is not used in any secure related manner (we just generate a random identifier to use as activity request identifier).To resolve the issue described above, please update the Flutter dependencies. The geolocator_android package is a dependency of the main geolocator dependency. So depending on the geolocator package will automatically download the geolocator_android package.
To update dependencies run the
flutter pub updatecommand. If you want to check the version being used, open up thepubspec.lockfile and search for thegeolocator_androidentry.If you really want to enforce the usage of version 3.2.1 of the geolocator_android package you could add a separate dependency to your
pubspec.yamlfile like so: