Skip to main content

App development and encryption methods

qa_swe_403
1d ago 14 1
Anyone have thoughts on encrypting data in an app and verifying that the salt, IV, etc. are always in the right place but never vulnerable?

1 Comment

Ishan Dev Shukl
Encryption isn’t usually broken because the IV or salt is visible. In fact, salts and IVs are often stored alongside the ciphertext by design. The real questions are:

• Is the salt unique per password/credential?
• Is the IV unique (and unpredictable where required) for every encryption operation?
• Are encryption keys protected and rotated appropriately?
• Is a modern algorithm being used (AES-GCM, Argon2, PBKDF2, etc.)?
• Can an attacker tamper with ciphertext without detection?

From a testing perspective, I’d focus less on “hiding” the salt/IV and more on validating their generation, uniqueness, storage format, key management, and resistance to replay/tampering attacks.

If you’re testing mobile or web apps, intercepting traffic, inspecting local storage, and reviewing logs often reveals more security gaps than the crypto implementation itself. The hardest part is usually key management, not encryption.

Join the discussion

Sign in to join the discussion

Sign in