Kotlin Hardcoded Encryption Key
Description
Detects hardcoded encryption keys in Kotlin database configurations, which can expose sensitive data if compromised. Using hardcoded encryption keys in source code is a significant security risk as it may allow attackers to decrypt sensitive data if they gain access to the code.
Detection Strategy
• Check database configuration files and code for encryption key definitions
• Look for string literals or constant values being used as encryption keys
• Flag cases where encryption keys are directly embedded in the source code rather than being loaded from secure configuration
• Examine database connection strings and configuration objects for hardcoded cryptographic material
Vulnerable code example
// Database operations with hardcoded encryption keys
val secretKey = "gb09ym9ydoolp3w886d0tciczj6ve9kszqd65u7d126040gwy86xqimjpuuc788g" // Vulnerable: Hardcoded encryption key
val database = SQLiteDatabase.openOrCreateDatabase("app.db", secretKey, null) // Vulnerable: Using hardcoded key for encryption✅ Secure code example
import android.content.Context
import android.util.Base64
import java.security.SecureRandom
class DatabaseHelper(private val context: Context) {
private fun generateSecureKey(): String {
val random = SecureRandom()
val keyBytes = ByteArray(64) // Generate 64-byte key...Search for vulnerabilities in your apps for free with Fluid Attacks' automated security testing! Start your 21-day free trial and discover the benefits of the Continuous Hacking Essential plan. If you prefer the Advanced plan, which includes the expertise of Fluid Attacks' hacking team, fill out this contact form.