To ensure privacy, an application using RAPPOR must generate random bits in an unpredictable manner. In other words, an adversary that can predict the sequence of random bits used can determine the true values being reported.
Generating random numbers is highly platform-specific -- even language-specific. So, libraries implementing RAPPOR should be parameterized by an interface to generate random bits. (This can be thought of as "dependency injection".)
For now, we have collected some useful links.
Myths about /dev/urandom -- Nice
article explaining implementation aspects of /dev/urandom and /dev/random
on Linux. (Summary: just use /dev/urandom, with caveats explained)
LWN on getrandom (patch) -- A very recent addition to the Linux kernel. As of this writing (11/2014), it's safe to say that very few applications use it. The relevant change, involving an issue mentioned in the first link, involves the situation at system boot, when there is little entropy available.