Kotlin Insecure Key Generation
Description
Detects insecure elliptic curve (EC) key generation in Kotlin code where ECGenParameterSpec is used. Using ECGenParameterSpec without proper parameter validation can result in weak cryptographic keys, potentially compromising the security of encrypted communications and data.
Detection Strategy
• Identifies usage of ECGenParameterSpec class through any of these imports/references: 'security.spec.ECGenParameterSpec', 'spec.ECGenParameterSpec', or 'ECGenParameterSpec'
• Examines the constructor arguments passed to ECGenParameterSpec to verify the curve parameters
• Reports a vulnerability when ECGenParameterSpec is instantiated with potentially insecure parameters
Vulnerable code example
import java.security.MessageDigest
import javax.crypto.Cipher
import java.security.spec.RSAKeyGenParameterSpec
import javax.net.ssl.SSLContext
fun main() {
// Vulnerable: Using weak cipher algorithm
val cipher1 = Cipher.getInstance("DES") ...✅ Secure code example
import java.security.MessageDigest
import javax.crypto.Cipher
import java.security.spec.RSAKeyGenParameterSpec
import javax.net.ssl.SSLContext
fun main() {
// Secure: Using strong AES cipher with GCM mode
val cipher1 = Cipher.getInstance("AES/GCM/NoPadding") ...Search for vulnerabilities in your apps for free with Fluid Attacks' automated security testing! Start your 21-day free trial and discover the benefits of the Continuous Hacking Essential plan. If you prefer the Advanced plan, which includes the expertise of Fluid Attacks' hacking team, fill out this contact form.