fix: replace sha1prng secure random with recommended algorithm (#3314)

sdhuka · web-flow · commit 1f41eb35db1b · 2023-06-06T15:29:04.000-05:00
diff --git a/aws-android-sdk-cognitoidentityprovider/src/main/java/com/amazonaws/mobileconnectors/cognitoidentityprovider/CognitoUser.java b/aws-android-sdk-cognitoidentityprovider/src/main/java/com/amazonaws/mobileconnectors/cognitoidentityprovider/CognitoUser.java
@@ -18,6 +18,7 @@
 package com.amazonaws.mobileconnectors.cognitoidentityprovider;
 
 import android.content.Context;
+import android.os.Build;
 import android.os.Handler;
 import android.os.Looper;
 
@@ -4040,7 +4041,11 @@ protected MessageDigest initialValue() {
 
         static {
             try {
-                SECURE_RANDOM = SecureRandom.getInstance("SHA1PRNG");
+                if (Build.VERSION.SDK_INT >= Build.VERSION_CODES.O) {
+                    SECURE_RANDOM = SecureRandom.getInstanceStrong();
+                } else {
+                    SECURE_RANDOM = new SecureRandom();
+                }
 
                 final MessageDigest messageDigest = THREAD_MESSAGE_DIGEST.get();
                 messageDigest.reset();
diff --git a/aws-android-sdk-cognitoidentityprovider/src/main/java/com/amazonaws/mobileconnectors/cognitoidentityprovider/util/CognitoDeviceHelper.java b/aws-android-sdk-cognitoidentityprovider/src/main/java/com/amazonaws/mobileconnectors/cognitoidentityprovider/util/CognitoDeviceHelper.java
@@ -334,7 +334,11 @@ protected MessageDigest initialValue() {
 
         static {
             try {
-                SECURE_RANDOM = SecureRandom.getInstance("SHA1PRNG");
+                if (Build.VERSION.SDK_INT >= Build.VERSION_CODES.O) {
+                    SECURE_RANDOM = SecureRandom.getInstanceStrong();
+                } else {
+                    SECURE_RANDOM = new SecureRandom();
+                }
             } catch (final NoSuchAlgorithmException e) {
                 throw new ExceptionInInitializerError(e);
             }
@@ -360,7 +364,7 @@ public BigInteger getVerifier() {
         /**
          * Helps to start the SRP validation of the device.
          * @param deviceGroupKey REQUIRED: Group assigned to the device.
-         * @param deviceKey REQUIRED: Unique identifier assigned to the device. 
+         * @param deviceKey REQUIRED: Unique identifier assigned to the device.
          * @param password REQUIRED: The device password.
          */
         public deviceSRP(String deviceGroupKey, String deviceKey, String password) {
