Hardcoded Static Keys in the Mobile App

Summary :

Some static keys are hardcoded in the app source code; this may expose keys on the client in a recoverable way.

CVSS (Base Score):

7.2 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N

Attack Conditions:

By reverse engineering the app client, conducting static analysis, or using other security research methods, an attacker may extract related keys or sensitive constants from binaries or resources.

Risk:

Partial static keys or equivalent credentials may be learned, broadening opportunities to abuse app-related capabilities when combined with other conditions.

Impact Scope:

Confidentiality of keying material for app clients that depend on the hardcoded keys and the scenarios where those keys are used.

Remediation Steps:

Hardcoded key code has been removed from the app. Upgrade via official channels to fixed releases: iOS 6.1.7, Android 6.1.9, or later.

Acknowledgment

We thank Sammy Azdoufal for valuable assistance in discovering this vulnerability and coordinating responsible disclosure.