This article provides a security testing report on the randomness of mnemonic generation in the OneKey App (software wallet), encompassing all supported operating systems by OneKey App (macOS, Windows, Android, iOS) and its respective clients (Desktop & Extension).
Conclusion
The OneKey App employs platform-specific cryptographically strong random number APIs recommended by development guidelines across Windows, macOS, iOS, and Android clients, as well as the Chrome extension. Internal testing confirms compliance with NIST SP 800-22 and FIPS 140-2 random number security standards.
- On Chrome-based platforms (Windows, macOS), the secure pseudo-random number API
crypto.getRandomValues
provided by Chrome is utilized to generate cryptographically strong pseudo-random numbers. - On React Native-based Android and iOS platforms, the system-provided secure random interfaces
SecureRandom
andSecRandomCopyBytes
are respectively called.
⚠️ Note: Although OneKey App strictly adheres to security development guidelines, the security of the random number generation can also be affected by the operating system/hardware implementation of the user's device.
Security Testing
NIST SP 800-22 (National Institute of Standards and Technology Special Publication 800-22) is a document published by the National Institute of Standards and Technology (NIST) of the United States, primarily involving a statistical test suite for testing Pseudo-Random Number Generators (PRNG). It provides a set of statistical tests to evaluate the randomness and quality of bit sequences generated by random number generators.
- Testing Software: NIST SP 800-22 Statistical Test Suite
- Testing Environment: macOS 14.5
- Testing Parameters:
Project |
Parameters |
---|---|
Segment Length |
1024000 |
Test Items |
1 (All 15 tests) |
Block Frequency Test - block length(M) |
20480 |
NonOverlapping Template Test - block length(m) |
10 |
Overlapping Template Test - block length(m) |
10 |
Approximate Entropy Test - block length(m) |
10 |
Serial Test - block length(m) |
16 |
Linear Complexity Test - block length(M) |
5000 |
bitstreams |
20(20*1024000bits = 20480000bits = 20MB) |
System: Win10 22H2; Hardware: i7-13700h
-
Desktop Client
- The Windows desktop client for OneKey App is an Electron application that relies on the Chrome engine. Using developer tools, the mnemonic entropy generation API
crypto.getRandomValues
is called at runtime to sample random numbers, totaling 20MB. Testing according to the defined parameters yielded a "Test Report" (see attachment below), where all items passed, meeting security requirements. - Results: NIST SP 800-22-windows-desktop-wini713.txt (Available in the attachment)
- The Windows desktop client for OneKey App is an Electron application that relies on the Chrome engine. Using developer tools, the mnemonic entropy generation API
-
Browser Extension
- The Chrome extension relies on the Chrome engine. Using developer tools, the mnemonic entropy generation API
crypto.getRandomValues
is called at runtime to sample random numbers, totaling 20MB. Testing according to the defined parameters yielded a "Test Report" (see attachment below), where all items passed, meeting security requirements. - Results: NIST SP 800-22-windows-ext-wini713.txt (Available in the attachment)
- The Chrome extension relies on the Chrome engine. Using developer tools, the mnemonic entropy generation API
System: Sonoma 14.6; Hardware: MacBook Pro 2020 13-inch M1
-
Desktop Client
- The macOS desktop client for OneKey App is an Electron application that relies on the Chrome engine. Using developer tools, the mnemonic entropy generation API
crypto.getRandomValues
is called at runtime to sample random numbers, totaling 20MB. Testing according to the defined parameters yielded a "Test Report" (see attachment below), where all items passed, meeting security requirements. - Results: NIST SP 800-22-macOS-desktop-macm1p.txt (Available in the attachment)
- The macOS desktop client for OneKey App is an Electron application that relies on the Chrome engine. Using developer tools, the mnemonic entropy generation API
-
Browser Extension
- The Chrome extension relies on the Chrome engine. Using developer tools, the mnemonic entropy generation API
crypto.getRandomValues
is called at runtime to sample random numbers, totaling 20MB. Testing according to the defined parameters yielded a "Test Report" (see attachment below), where all items passed, meeting security requirements. - Results: NIST SP 800-22-macOS-ext-macm1p.txt (Available in the attachment)
- The Chrome extension relies on the Chrome engine. Using developer tools, the mnemonic entropy generation API
System hyperOS 1.0.4.0; Hardware Xiaomi 10s snapdragon870
-
Android Client
- The Android client for OneKey App, being a React Native application, relies on native APIs. On Android, the system API
SecureRandom
is invoked whencrypto.getRandomValues
is called in the application. Using React remote JS debug, the mnemonic entropy generation APIcrypto.getRandomValues
is called at runtime to sample random numbers, totaling 20MB. Testing according to the defined parameters yielded a "Test Report" (see attachment below), where all items passed, meeting security requirements. - Results: NIST SP 800-22-android-app-andsm870.txt (Available in the attachment)
- The Android client for OneKey App, being a React Native application, relies on native APIs. On Android, the system API
System: IOS 17.5; Hardware: iPhoneX A11
-
iOS Client
- The iOS client for OneKey App, being a React Native application, relies on native APIs. On iOS, the system API
SecRandomCopyBytes
is invoked whencrypto.getRandomValues
is called in the application. Using React remote JS debug, the mnemonic entropy generation APIcrypto.getRandomValues
is called at runtime to sample random numbers, totaling 20MB. Testing according to the defined parameters yielded a "Test Report" (see attachment below), where all items passed, meeting security requirements. - Results: NIST SP 800-22-iOS-app-x.txt (Available in the attachment)
- The iOS client for OneKey App, being a React Native application, relies on native APIs. On iOS, the system API
FIPS 140-2 (Federal Information Processing Standard Publication 140-2) is a computer security standard issued by NIST. It details the security requirements for cryptographic modules, specifically focusing on RNG types, security strength, seed, entropy, periodicity, periodic tests, and continuous tests.
- Testing Software: rng-tools
- Testing Parameters: None
- Testing Environment: ubuntu 24.04 arm64
-
Compilation Process:
- Install gcc, automake properly
- Execute
./autogen.sh
- Execute
./configure
(if errors occur, configure dependencies as per the error messages) - Execute
make
to compile files rngd and rngtest - Execute
./rngtest < testfile.bin
⚠️ Note: Test files must be in binary format as inputs, not ASCII.
System: Win10 22H2; Hardware: i7-13700h
-
Desktop Client
- The Windows desktop client for OneKey App is an Electron application that relies on the Chrome engine. Using developer tools, the mnemonic entropy generation API
crypto.getRandomValues
is called at runtime to sample random numbers, totaling 20MB. The text file was converted to a binary file, and "Test Report" below shows all items pass, meeting security requirements.
- The Windows desktop client for OneKey App is an Electron application that relies on the Chrome engine. Using developer tools, the mnemonic entropy generation API
-
Browser Extension
- The Chrome extension relies on the Chrome engine. Using developer tools, the mnemonic entropy generation API
crypto.getRandomValues
is called at runtime to sample random numbers, totaling 20MB. The text file was converted to a binary file, and "Test Report" below shows 1024 rounds tested with one round of Runs failing, but all items passed overall, meeting security requirements.
- The Chrome extension relies on the Chrome engine. Using developer tools, the mnemonic entropy generation API
System: Sonoma 14.6; Hardware: MacBook Pro 2020 13-inch M1
-
Desktop Client
- The macOS desktop client for OneKey App is an Electron application that relies on the Chrome engine. Using developer tools, the mnemonic entropy generation API
crypto.getRandomValues
is called at runtime to sample random numbers, totaling 20MB. The text file was converted to a binary file, and "Test Report" below shows all items pass, meeting security requirements.
- The macOS desktop client for OneKey App is an Electron application that relies on the Chrome engine. Using developer tools, the mnemonic entropy generation API
-
Browser Extension
- The Chrome extension relies on the Chrome engine. Using developer tools, the mnemonic entropy generation API
crypto.getRandomValues
is called at runtime to sample random numbers, totaling 20MB. The text file was converted to a binary file, and "Test Report" below shows all items pass, meeting security requirements.
- The Chrome extension relies on the Chrome engine. Using developer tools, the mnemonic entropy generation API
System: hyperOS 1.0.4.0;Hardware: Xiaomi 10s snapdragon870
-
Android Client
- The Android client for OneKey App, being a React Native application, relies on native APIs. On Android, the system API SecureRandom is invoked when
crypto.getRandomValues
is called in the application. Using React remote JS debug, the mnemonic entropy generation APIcrypto.getRandomValues
is called at runtime to sample random numbers, totaling 20MB. The text file was converted to a binary file, and "Test Report" below shows three rounds out of 1024 that failed all test items, but all items passed overall, meeting security requirements.
⚠️ Note: The Android client had three test rounds out of 1024 where all test items failed. This issue might be a bug in the rng-test tool and does not affect the overall conclusion of the test.
- The Android client for OneKey App, being a React Native application, relies on native APIs. On Android, the system API SecureRandom is invoked when
System iOS 17.5;Hardware: iPhoneX A11
-
iOS Client
- The iOS client for OneKey App, being a React Native application, relies on native APIs. On iOS, the system API
SecRandomCopyBytes
is invoked whencrypto.getRandomValues
is called in the application. Using React remote JS debug, the mnemonic entropy generation APIcrypto.getRandomValues
is called at runtime to sample random numbers, totaling 20MB. The text file was converted to a binary file, and "Test Report" below shows one failed test in Long run out of 1024 rounds, but all items passed overall, meeting security requirements.
- The iOS client for OneKey App, being a React Native application, relies on native APIs. On iOS, the system API