In the Android application cats**.**goods.sort.sorting.games version 1.200 containing the class com.jh.utils.jRwTX , a hardcoded AES key and IV were discovered. Attackers can extract these static strings through reverse engineering and use them to decrypt server responses, potentially gaining access to sensitive information such as AppsFlyer attribution data.
In the provided source code snippet of jRwTX.java, the following hardcoded cryptographic material is present:
1.Hardcoded Key and IV:
2. Usage in Decryption (within the onSuccessData method):
The Ovc.sT method decrypts the server response using the hardcoded key and IV. The decrypted data is then parsed into an AppsFylerResponseBean to extract the afsource value, which is saved into SharedPreferences and used as the AppsFlyer attribution data.
An attacker who decompiles the APK can retrieve these strings and, if they can intercept network traffic (or if the encrypted response is accessible elsewhere), they can decrypt the server’s response and read the sensitive attribution information.
Remove the hardcoded AES key and IV from the source code. Instead, use a secure key management approach:
An attacker who extracts the hardcoded cryptographic key and IV can decrypt server responses encrypted with the same key, potentially exposing sensitive data such as AppsFlyer attribution or other configuration values. This vulnerability undermines the overall security of the application, leading to risks of data leakage or manipulation.