Kotlin Hardcoded Salt Value
Description
Detects when password-based encryption functions (PBEKeySpec, PBEParameterSpec) are initialized with hardcoded salt values in Kotlin code. Using hardcoded salts instead of random ones makes password hashing vulnerable to precomputation attacks like rainbow tables.
Detection Strategy
• Look for constructor calls to PBEKeySpec or PBEParameterSpec classes
• Check if the salt parameter in the constructor arguments is a hardcoded literal value
• Report a vulnerability if the salt is hardcoded instead of being randomly generated
Vulnerable code example
import javax.crypto.spec.PBEKeySpec
import javax.crypto.spec.PBEParameterSpec
private val SALT = "HARDCODED_SALT" // Vulnerability: Hard-coded salt reduces cryptographic strength
fun insecureCrypto() {
val password = "password".toCharArray()
val pbeSpec = PBEParameterSpec(SALT.toByteArray(), 10000) // Vulnerable: Using hardcoded salt...✅ Secure code example
import javax.crypto.spec.PBEKeySpec
import javax.crypto.spec.PBEParameterSpec
import java.security.SecureRandom
import java.util.Base64
fun secureCrypto() {
val password = "password".toCharArray()
...Search for vulnerabilities in your apps for free with Fluid Attacks' automated security testing! Start your 21-day free trial and discover the benefits of the Continuous Hacking Essential plan. If you prefer the Advanced plan, which includes the expertise of Fluid Attacks' hacking team, fill out this contact form.