Kotlin Insecure Cipher Usage
Description
Detects insecure TLS version configurations in Kotlin applications that could allow weak cryptographic protocols. Using outdated TLS versions (like TLS 1.0 or 1.1) can expose applications to known vulnerabilities and man-in-the-middle attacks.
Detection Strategy
• Identifies calls to the 'tlsVersions' method in code
• Examines the arguments passed to tlsVersions to check for insecure TLS version configurations
• Reports a vulnerability when tlsVersions is configured with potentially unsafe TLS protocol versions
• Focuses specifically on Kotlin HTTP client configurations where TLS settings are defined
Vulnerable code example
import javax.crypto.Cipher
import java.security.spec.RSAKeyGenParameterSpec
import java.security.MessageDigest
import javax.net.ssl.SSLContext
fun main() {
// VULNERABLE: Using weak cipher algorithm DES
val cipher = Cipher.getInstance("DES")...✅ Secure code example
import javax.crypto.Cipher
import java.security.spec.RSAKeyGenParameterSpec
import java.security.MessageDigest
import javax.net.ssl.SSLContext
fun main() {
// Using strong AES cipher with GCM mode for authenticated encryption
val cipher = Cipher.getInstance("AES/GCM/NoPadding")...Search for vulnerabilities in your apps for free with Fluid Attacks' automated security testing! Start your 21-day free trial and discover the benefits of the Continuous Hacking Essential plan. If you prefer the Advanced plan, which includes the expertise of Fluid Attacks' hacking team, fill out this contact form.