CWE-321.md

Application Details

• App Name: 'Simple HTTP Server PLUS' com.phlox.simpleserver.plus Version: 1.8 &
• 'Simple HTTP Server' com.phlox.simpleserver Version: 1.8.1-plus
• https://play.google.com/store/apps/details?id=com.phlox.simpleserver.plus

Vulnerability: Use of Hard-coded Cryptographic Key

Description

Description: Phlox com.phlox.simpleserver (aka Simple HTTP Server) 1.8 and com.phlox.simpleserver.plus (aka Simple HTTP Server PLUS) 1.8.1-plus have a hardcoded aKySWb2jjrr4dzkYXczKRt7K AES encryption key. An attacker with physical access to the application's source code or binary can extract this key & use it decrypt the TLS secret.

Code Reference

SecretKeySpec secretKeySpec = new SecretKeySpec("aKySWb2jjrr4dzkYXczKRt7K".getBytes(), "AES");

Potential Risks

1. Data Compromise: An attacker can easily decrypt any encrypted data using this key.
2. Man-in-the-Middle Attacks: Knowledge of the encryption key allows an attacker to intercept and potentially modify data during transmission.
3. Loss of Confidentiality: Encrypted data, whether stored or in transit, can be decrypted if the key is known.

CWE Reference

This vulnerability can be related to CWE-321: Use of Hard-coded Cryptographic Key.

Additional Information

Impact on 'com.phlox.simpleserver.plus' (Version 1.8.1-plus)

The following issues also impacts the paid version app 'com.phlox.simpleserver.plus' ver. 1.8.1-plus & before

Physical Access Risk

An attacker with physical access to the device could perform a data backup, gathering sensitive information.

• Backup and Decryption: The app's backup functionality may facilitate the extraction and decryption of sensitive data.