Dart Hardcoded Cryptography Key
Description
Detects the use of hardcoded or predictable encryption keys in Dart applications using the encrypt package. This represents a critical security vulnerability as hardcoded cryptographic keys can be extracted from the application code, potentially compromising the encrypted data.
Detection Strategy
• Check if the encrypt package is imported in the Dart source code
• Search for usage of the Encrypter class from the encrypt package
• Verify if the encryption key used with Encrypter is hardcoded or predictable
• Report a vulnerability when an Encrypter instance is created with a non-dynamic encryption key
Vulnerable code example
import 'package:encrypt/encrypt.dart';
void encryptData() {
final key = Key.fromUtf8('HARDCODEDKEY'); // Vulnerable: Encryption key is hardcoded
final encrypter = Encrypter(AES(key));
final encrypted = encrypter.encrypt('sensitive data');
}✅ Secure code example
import 'package:encrypt/encrypt.dart';
import 'package:flutter_secure_storage/flutter_secure_storage.dart';
Future<void> encryptData() async {
final storage = FlutterSecureStorage();
// Get key from secure storage or generate if not exists
String? storedKey = await storage.read(key: 'encryption_key');...Search for vulnerabilities in your apps for free with Fluid Attacks' automated security testing! Start your 21-day free trial and discover the benefits of the Continuous Hacking Essential plan. If you prefer the Advanced plan, which includes the expertise of Fluid Attacks' hacking team, fill out this contact form.