Enhancement #22347
[3.9.16][MIB][Android][MIB-3] Hardcoded Encryption Keys and Initialization Vector (IV) in Code
| Status: | New | Start date: | 18 August 2025 | |
|---|---|---|---|---|
| Priority: | Normal | Due date: | ||
| Assignee: | Abdul Halim Baharom | % Done: | 0% | |
| Category: | - | Spent time: | - | |
| Target version: | - |
Description
Finding Summary: The Android application contains hardcoded cryptographic elements, including encryption keys and an initialization vector (IV), as shown in the following code in the file com/ecosystem/mobility/silverlake/slmobilesdk/security/SLCryptoAES:
public static byte[] ivBytes = {0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0};
public static String key = "silverlakesme";
public static String qrKey = "SME@Silverlake";
The encryption key (key and qrKey) and the initialization vector (ivBytes) are both hardcoded directly into the source code. This is a significant security risk for several reasons:
Hardcoding encryption keys and IVs in source code makes it easy for attackers to retrieve these values from the application’s APK, potentially exposing sensitive data. If an attacker gains access to these hardcoded keys, they can decrypt any data encrypted with them, thus compromising confidentiality and integrity.
The initialization vector (ivBytes) is hardcoded as a fixed value (all zeros). A static IV, especially one that is predictable and unchanging, defeats the purpose of using an IV in the first place. An IV is meant to provide randomness and ensure that encrypting the same plaintext multiple times yields different ciphertexts. Using a fixed IV weakens the encryption and makes it vulnerable to certain cryptographic attacks, such as pattern recognition or replay attacks.