react-native-keys Sensitive Information Disclosure Vulnerability

A vulnerability in the react-native-keys library version 0.7.11 allows for remote sensitive information disclosure. The issue arises because the encryption cipher and Base64-encoded chunks are stored in plaintext within the compiled native binary. This flaw enables attackers to extract these secrets using basic static analysis tools. The vulnerability is exacerbated by the encryption key's predictable generation, derived from a weak random method, which can be brute-forced.

Impact

Successful exploitation allows for the extraction and decryption of API keys managed by the react-native-keys library. This could lead to unauthorized access to backend services, depending on the nature of the exposed keys. For instance, access to Firebase, Stripe, or AWS keys could result in database breaches, financial fraud, or data leaks. Additionally, applications using this library may suffer reputational harm and non-compliance with security standards like PCI DSS and GDPR.

Reproduction

To reproduce this vulnerability, decompile the APK of an application using react-native-keys 0.7.11. Extract the compiled native library 'libreact-native-keys.so' from the appropriate directory. Use a static analysis tool like Hopper to inspect the binary and locate the Base64-encoded chunks and the encryption cipher. The cipher can be extracted using the 'strings' command. Once the cipher and chunks are obtained, combine the chunks and decrypt them using the AES-256-CBC algorithm, using the extracted cipher as the key.

Remediation

Remove the react-native-keys library and replace it with more secure server-side API key management solutions. After removing the library, rotate all exposed API keys to prevent potential misuse.