Encryption isn’t usually broken because the IV or salt is visible. In fact, salts and IVs are often stored alongside the ciphertext by design. The real questions are:
• Is the salt unique per password/credential?
• Is the IV unique (and unpredictable where required) for every encryption operation?
• Are encryption keys protected and rotated appropriately?
• Is a modern algorithm being used (AES-GCM, Argon2, PBKDF2, etc.)?
• Can an attacker tamper with ciphertext without detection?
From a testing perspective, I’d focus less on “hiding” the salt/IV and more on validating their generation, uniqueness, storage format, key management, and resistance to replay/tampering attacks.
If you’re testing mobile or web apps, intercepting traffic, inspecting local storage, and reviewing logs often reveals more security gaps than the crypto implementation itself. The hardest part is usually key management, not encryption.