fix: use secure crypto for ios socketio secret

TryQuiet · Oct 30, 2023 · 96b97db · 96b97db
1 parent d758341
commit 96b97db
Show file tree

Hide file tree

Showing 2 changed files with 13 additions and 20 deletions.
diff --git a/packages/mobile/ios/Quiet/AppDelegate.m b/packages/mobile/ios/Quiet/AppDelegate.m
@@ -95,19 +95,6 @@ - (void) createDataDirectory {
   self.dataPath = [dataDirectory create];
 }
 
-  NSString* randomStringWithLength(int length) {
-    NSString *letters = @"0123456789";
-    NSMutableString *randomString = [NSMutableString stringWithCapacity:length];
-
-    for (int i=0; i<length; i++) {
-      uint32_t rand = arc4random_uniform((uint32_t)[letters length]);
-      unichar character = [letters characterAtIndex:rand];
-      [randomString appendFormat:@"%C", character];
-    }
-
-    return randomString;
-  }
-
 - (void) initWebsocketConnection {
   /*
    * We have to wait for RCTBridge listeners to be initialized, yet we must be sure to deliver the event containing data port information.
@@ -130,7 +117,7 @@ - (void) spinupBackend:(BOOL)init {
   Utils *utils = [Utils new];
 
   if (self.socketIOSecret == nil) {
-      self.socketIOSecret       = [utils generateRandomStringWithLength:(20)];
+      self.socketIOSecret       = [utils generateSecretWithLength:(20)];
   }
 
   self.dataPort             = [findFreePort getFirstStartingFromPort:11000];

diff --git a/packages/mobile/ios/Utils.swift b/packages/mobile/ios/Utils.swift
@@ -2,14 +2,20 @@
 class Utils: NSObject {
 
     @objc
-    func generateRandomString(length: Int) -> String {
-    let letters = "0123456789"
-    var randomString = String()
+    func generateSecret(length: Int) -> String {
+    let characters = Array("ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789")
+    var randomString = ""
 
     for _ in 0..<length {
-        let rand = Int(arc4random_uniform(UInt32(letters.count)))
-        let character = letters[letters.index(letters.startIndex, offsetBy: rand)]
-        randomString.append(character)
+        var random: UInt8 = 0
+        let result = SecRandomCopyBytes(kSecRandomDefault, 1, &random)
+
+        if result == errSecSuccess {
+            let index = Int(random) % characters.count
+            randomString.append(characters[index])
+        } else {
+            fatalError("Unable to generate random byte.")
+        }
     }
 
     return randomString