Kotlin Weak Random Seed
Description
Detects the use of weak or predictable seeds when initializing SecureRandom instances in Kotlin code. Using predictable seeds with SecureRandom compromises the cryptographic security of the random number generator, making it possible to guess or reproduce the generated values.
Detection Strategy
• Look for usage of SecureRandom constructor or setSeed method calls
• Check if the seed value passed to SecureRandom is predictable or constant
• Report a vulnerability when SecureRandom is initialized with a non-random or weak seed value
• Specifically examine the arguments provided to SecureRandom() or setSeed() methods to ensure they are cryptographically secure
Vulnerable code example
import java.security.SecureRandom
// Using a hardcoded seed makes SecureRandom predictable
val secureRandom = SecureRandom()
secureRandom.setSeed(12345L) // Vulnerable: fixed seed reduces entropy
// Using fixed byte array as seed is also predictable
val bytes = "fixedseed123456".toByteArray()...✅ Secure code example
import java.security.SecureRandom
// Use getInstanceStrong() for maximum security, falling back to default if unavailable
val secureRandom = try {
SecureRandom.getInstanceStrong() // Preferred: Uses strongest available algorithm
} catch (_: Exception) {
SecureRandom() // Fallback: Still secure, uses system entropy source
}...Search for vulnerabilities in your apps for free with Fluid Attacks' automated security testing! Start your 21-day free trial and discover the benefits of the Continuous Hacking Essential plan. If you prefer the Advanced plan, which includes the expertise of Fluid Attacks' hacking team, fill out this contact form.