Swift Hardcoded Cryptographic Key
Description
Detects hardcoded cryptographic keys in Swift applications using the CryptoKit framework. When encryption keys are hardcoded in source code, they can be easily extracted by attackers, potentially compromising the security of encrypted data. This violates the principle of secure key management.
Detection Strategy
• Check if the CryptoKit framework is imported in the Swift source code
• Look for instances where SymmetricKey is being initialized
• Verify if the SymmetricKey is created using a hardcoded string value instead of being securely generated or retrieved
• Report a vulnerability when a SymmetricKey is initialized with hardcoded values
Vulnerable code example
import Foundation
import CryptoKit
// Hardcoded encryption key as string literal - insecure!
let insecureKey = "1234567890123456"
// Creating SymmetricKey from hardcoded data - vulnerable to key extraction
let symmetricKey = SymmetricKey(data: insecureKey.data(using: .utf8)!)...✅ Secure code example
import Foundation
import CryptoKit
func getOrCreateSecureKey() -> SymmetricKey {
// Generate a new random key with proper entropy
let key = SymmetricKey(size: .bits256)
// Here you would typically store the key securely in Keychain...Search for vulnerabilities in your apps for free with Fluid Attacks' automated security testing! Start your 21-day free trial and discover the benefits of the Continuous Hacking Essential plan. If you prefer the Advanced plan, which includes the expertise of Fluid Attacks' hacking team, fill out this contact form.