Kotlin Static Iv Used
Description
Detects the use of static/hardcoded initialization vectors (IVs) in GCM encryption mode, which severely weakens the security of the encryption. Using the same IV for multiple encryption operations with the same key can lead to cryptographic vulnerabilities that may allow attackers to decrypt the data.
Detection Strategy
• Identifies constructor calls to GCMParameterSpec in javax.crypto.spec package
• Examines the first argument passed to GCMParameterSpec constructor
• Reports a vulnerability if the IV parameter is found to be static or hardcoded rather than randomly generated
• Triggers when the GCMParameterSpec is initialized with constant values instead of using a secure random number generator
Vulnerable code example
import javax.crypto.Cipher
import javax.crypto.spec.GCMParameterSpec
import javax.crypto.spec.SecretKeySpec
fun encryptVulnerable(key: ByteArray, data: ByteArray) {
val staticIV = "fixed12345abcde".toByteArray() // VULNERABILITY: Using static/hardcoded IV instead of random value
val gcmSpec = GCMParameterSpec(128, staticIV)
val keySpec = SecretKeySpec(key, "AES")...✅ Secure code example
import java.security.SecureRandom
import javax.crypto.Cipher
import javax.crypto.spec.GCMParameterSpec
import javax.crypto.spec.SecretKeySpec
fun encryptSecure(key: ByteArray, data: ByteArray): ByteArray {
val random = SecureRandom()
val iv = ByteArray(12)...Search for vulnerabilities in your apps for free with Fluid Attacks' automated security testing! Start your 21-day free trial and discover the benefits of the Continuous Hacking Essential plan. If you prefer the Advanced plan, which includes the expertise of Fluid Attacks' hacking team, fill out this contact form.