Kotlin Insecure Hash Sha1
Description
Identifies the use of cryptographically weak hash functions (MD2, MD5, SHA-1) that are considered insecure for cryptographic purposes. These algorithms are vulnerable to collision attacks and should not be used for security-critical operations like password hashing or digital signatures.
Detection Strategy
• Scans for function calls to known insecure hashing methods from common libraries including Apache Commons Codec DigestUtils and Google Guava Hashing
• Detects specific method invocations like md5(), sha1(), getMd5Digest(), and other weak hash implementations
• Reports vulnerabilities when code uses deprecated hash functions from java.security.spec, org.apache.commons.codec.digest, or com.google.common.hash packages
• Flags usage of non-cryptographic hash functions like Adler32, CRC32 when used in security contexts
Vulnerable code example
import javax.crypto.Cipher
import java.security.MessageDigest
import javax.net.ssl.SSLContext
import java.security.spec.RSAKeyGenParameterSpec
fun demonstrateVulnerabilities() {
// Vulnerable: Uses weak cipher algorithm
val cipher1 = Cipher.getInstance("DES") ...✅ Secure code example
import javax.crypto.Cipher
import java.security.MessageDigest
import javax.net.ssl.SSLContext
import java.security.spec.RSAKeyGenParameterSpec
fun demonstrateSecurePractices() {
// Secure: Uses strong AES cipher with GCM mode
val cipher1 = Cipher.getInstance("AES/GCM/NoPadding") ...Search for vulnerabilities in your apps for free with Fluid Attacks' automated security testing! Start your 21-day free trial and discover the benefits of the Continuous Hacking Essential plan. If you prefer the Advanced plan, which includes the expertise of Fluid Attacks' hacking team, fill out this contact form.