Kotlin Hardcoded Initialization Vector
Description
Detects hardcoded initialization vectors (IVs) in cryptographic operations using IvParameterSpec in Kotlin code. Using static/hardcoded IVs instead of random ones compromises encryption security by making ciphertext predictable and vulnerable to cryptographic attacks.
Detection Strategy
• Check if javax.crypto.spec library is imported in the source code
• Find instantiations of IvParameterSpec class
• Examine the first argument passed to IvParameterSpec constructor
• Report a vulnerability if the IV value is hardcoded/static (like string literals or constant arrays) and not derived from a proper random source
• Verify the IV value is not sanitized or properly generated through secure random functions
Vulnerable code example
import javax.crypto.Cipher
import javax.crypto.spec.IvParameterSpec
import javax.crypto.spec.SecretKeySpec
class CryptoUtil {
private val IV = "0123456789abcdef" // Vulnerable: Hardcoded IV makes encryption predictable
fun encrypt(data: String, password: String): ByteArray {...✅ Secure code example
import javax.crypto.Cipher
import javax.crypto.spec.IvParameterSpec
import javax.crypto.spec.SecretKeySpec
import java.security.SecureRandom
class CryptoUtil {
fun encrypt(data: String, password: String): ByteArray {
val iv = ByteArray(16)...Search for vulnerabilities in your apps for free with Fluid Attacks' automated security testing! Start your 21-day free trial and discover the benefits of the Continuous Hacking Essential plan. If you prefer the Advanced plan, which includes the expertise of Fluid Attacks' hacking team, fill out this contact form.