Hardcoded Crypto Material
Description
Embedding encryption keys, IVs, or salts in the code lets attackers recover them via static analysis and decrypt or forge protected data.
Examples
Search for Hardcoded Keys
jadx -r -d out app-release.apk
rg -n "SecretKeySpec\(|IvParameterSpec\(|Base64\.decode\(" out
Hardcoded byte arrays or Base64 strings used for keys/IVs indicate exposure.
Remediation
- Derive and protect keys
- Generate keys at install; store in Keychain/Keystore; never hardcode or ship with the app.
- Rotate and scope
- Rotate keys periodically; scope keys to device/user/app feature.
- Code scanning
- Add secret scanning to CI and block hardcoded material.