Kotlin Hardcoded Salt Bytes
Description
Identifies instances where cryptographic operations use hardcoded salt values in PBEKeySpec or PBEParameterSpec constructors. Using hardcoded salts defeats the security purpose of salting since it remains constant across all password hashes, making them vulnerable to precomputation attacks.
Detection Strategy
• Check for usage of PBEKeySpec or PBEParameterSpec constructors in Kotlin code
• Verify if the salt parameter is provided as a hardcoded byte array
• Confirm the salt value is not derived from a secure random source
• Report a vulnerability if a hardcoded salt is used in these cryptographic operations
Vulnerable code example
import javax.crypto.SecretKeyFactory
import javax.crypto.spec.PBEKeySpec
import java.nio.charset.StandardCharsets
fun encryptWithStaticSalt(password: String): ByteArray {
val staticSalt = "WeakStaticSalt123".toByteArray(StandardCharsets.UTF_8) // Vulnerable: Using hardcoded salt instead of random salt
val factory = SecretKeyFactory.getInstance("PBKDF2WithHmacSHA1")
val spec = PBEKeySpec(password.toCharArray(), staticSalt, 10000, 256)...✅ Secure code example
import javax.crypto.SecretKeyFactory
import javax.crypto.spec.PBEKeySpec
import java.security.SecureRandom
import java.nio.charset.StandardCharsets
fun encryptWithRandomSalt(password: String): ByteArray {
val random = SecureRandom()
val salt = ByteArray(16).also { random.nextBytes(it) } // Secure: Generate random salt with SecureRandom...Search for vulnerabilities in your apps for free with Fluid Attacks' automated security testing! Start your 21-day free trial and discover the benefits of the Continuous Hacking Essential plan. If you prefer the Advanced plan, which includes the expertise of Fluid Attacks' hacking team, fill out this contact form.