Dart Hardcoded Crypto Iv
Description
This vulnerability detector identifies hardcoded initialization vectors (IVs) in Dart cryptographic operations. Hardcoded IVs compromise encryption security by making encrypted data predictable and vulnerable to cryptographic attacks, as IVs should be randomly generated for each encryption operation.
Detection Strategy
• Reports vulnerabilities when Dart code imports the encrypt package (package:encrypt/encrypt.dart)
• Flags specific cryptographic method calls that unconditionally use hardcoded IVs
• Detects cryptographic methods where the first argument (IV parameter) is a hardcoded literal value rather than a dynamically generated one
• Triggers when finding direct hardcoded values passed to IV-sensitive cryptographic functions in the encrypt library
Vulnerable code example
import 'package:encrypt/encrypt.dart';
void encryptData() {
final iv = IV.fromUtf8('0123456789abcdef'); // VULNERABLE: fixed IV makes encryption predictable
final encrypter = Encrypter(AES(Key.fromSecureRandom(32)));
encrypter.encrypt('secret data', iv: iv);
}✅ Secure code example
import 'package:encrypt/encrypt.dart';
void encryptData() {
final iv = IV.fromSecureRandom(16); // SAFE: cryptographically random IV generated at runtime
final encrypter = Encrypter(AES(Key.fromSecureRandom(32)));
encrypter.encrypt('secret data', iv: iv);
}Search for vulnerabilities in your apps for free with Fluid Attacks' automated security testing! Start your 21-day free trial and discover the benefits of the Continuous Hacking Essential plan. If you prefer the Advanced plan, which includes the expertise of Fluid Attacks' hacking team, fill out this contact form.