Kotlin Hardcoded Iv Used
Description
Detects the use of hardcoded initialization vectors (IVs) in cryptographic operations through IvParameterSpec. Using static/hardcoded IVs severely weakens the security of encryption by making it predictable, potentially allowing attackers to decrypt sensitive data.
Detection Strategy
• Identifies constructor calls to IvParameterSpec class
• Examines the arguments passed to IvParameterSpec to check if they are hardcoded/static values
• Reports a vulnerability when IvParameterSpec is initialized with constant/literal byte arrays instead of randomly generated values
• Focuses on cryptographic implementations in Java/Kotlin code that use javax.crypto APIs
Vulnerable code example
// Crypto initialization with hardcoded IV
val bytesIV = "7cVgr5cbdCZVw5WY".toByteArray(charset("UTF-8")) // VULNERABLE: Hardcoded/predictable IV
val iv = IvParameterSpec(bytesIV)
val skeySpec = SecretKeySpec(secretKey.toByteArray(), "AES")
val cipher = Cipher.getInstance("AES/CBC/PKCS5PADDING")
cipher.init(Cipher.ENCRYPT_MODE, skeySpec, iv) // VULNERABLE: Using predictable IV in cipher✅ Secure code example
import javax.crypto.Cipher
import javax.crypto.spec.GCMParameterSpec
import javax.crypto.spec.SecretKeySpec
import java.security.SecureRandom
// Generate a fresh random IV for each encryption
val secureRandom = SecureRandom()
val iv = ByteArray(12).also { secureRandom.nextBytes(it) } // 12 bytes for GCM mode...Search for vulnerabilities in your apps for free with Fluid Attacks' automated security testing! Start your 21-day free trial and discover the benefits of the Continuous Hacking Essential plan. If you prefer the Advanced plan, which includes the expertise of Fluid Attacks' hacking team, fill out this contact form.