Flock Safety DetectionProcessing Application Hardcoded Java Keystore Vulnerability

A vulnerability exists in the Flock Safety DetectionProcessing application (com.flocksafety.android.objects) version 6.35.33 for Android. This application, installed on Falcon and Sparrow License Plate Readers as well as Bravo Edge AI Compute Devices, includes a Java Keystore file (flock_rye.bks) embedded in the code with a hardcoded password (flockhibiki17). The keystore contains a private key, which could be extracted and potentially misused.

Impact

The hardcoded Java Keystore and password allow for unauthorized access to the private key contained within the keystore. This could lead to unauthorized actions or access, depending on how the private key is intended to be used.

Reproduction

The vulnerability can be reproduced by accessing the Flock Safety DetectionProcessing application version 6.35.33 on a Falcon or Sparrow License Plate Reader or a Bravo Edge AI Compute Device. The Java Keystore file can be found in the application's raw resources directory. Once the keystore is obtained, it can be accessed using the hardcoded password, allowing extraction of the private key.