Java Hardcoded Base64 Iv
Description
Detects hardcoded Base64-encoded initialization vectors (IVs) used in Java cryptographic operations. Using static/hardcoded IVs is a security risk since it makes the encryption predictable and potentially vulnerable to cryptographic attacks. The IV should be randomly generated for each encryption operation.
Detection Strategy
• Check if javax.crypto.spec package is imported in the Java source code
• Look for creation of IvParameterSpec objects in the code
• Examine the first argument passed to IvParameterSpec constructor to check if it contains a hardcoded Base64-encoded value
• Report a vulnerability if a hardcoded Base64 string is used to initialize the IV instead of generating it dynamically
Vulnerable code example
import javax.crypto.Cipher;
import javax.crypto.spec.IvParameterSpec;
import javax.crypto.spec.SecretKeySpec;
import android.util.Base64;
public class CryptoExample {
private static final String IV = "U2VjcmV0aXYxMjM0NQ=="; // Vulnerable: Hardcoded IV
...✅ Secure code example
import javax.crypto.Cipher;
import javax.crypto.SecretKeyFactory;
import javax.crypto.spec.IvParameterSpec;
import javax.crypto.spec.PBEKeySpec;
import javax.crypto.spec.SecretKeySpec;
import android.util.Base64;
import java.security.SecureRandom;
import java.nio.charset.StandardCharsets;...Search for vulnerabilities in your apps for free with Fluid Attacks' automated security testing! Start your 21-day free trial and discover the benefits of the Continuous Hacking Essential plan. If you prefer the Advanced plan, which includes the expertise of Fluid Attacks' hacking team, fill out this contact form.