Kotlin Insecure Key Usage
Description
Detects the usage of weak RSA key sizes in Kotlin applications by identifying RSAKeyGenParameterSpec instantiations with insufficient key lengths. Using RSA keys that are too short makes the cryptographic implementation vulnerable to brute-force attacks and could compromise the security of encrypted data.
Detection Strategy
• Look for usage of RSAKeyGenParameterSpec class (including fully qualified names) in the source code
• When RSAKeyGenParameterSpec is found, examine the first argument passed to its constructor which specifies the key size
• If the key size parameter is too small (typically less than recommended secure lengths like 2048 bits), flag it as vulnerable
• Report each instance where RSAKeyGenParameterSpec is used with an insecure key size
Vulnerable code example
import javax.crypto.Cipher
import java.security.spec.RSAKeyGenParameterSpec
import java.security.MessageDigest
import javax.net.ssl.SSLContext
fun main() {
// Vulnerable: Using weak cipher algorithm
val cipher1 = Cipher.getInstance("DES") ...✅ Secure code example
import javax.crypto.Cipher
import java.security.spec.RSAKeyGenParameterSpec
import java.security.MessageDigest
import javax.net.ssl.SSLContext
fun main() {
// Secure: Using AES/GCM for strong encryption
val cipher1 = Cipher.getInstance("AES/GCM/NoPadding") ...Search for vulnerabilities in your apps for free with Fluid Attacks' automated security testing! Start your 21-day free trial and discover the benefits of the Continuous Hacking Essential plan. If you prefer the Advanced plan, which includes the expertise of Fluid Attacks' hacking team, fill out this contact form.