SDK 5.0.0 introduced high level security vulnerability (per AppSweep)

[kmayoral]

Braintree SDK Version

5.0.0

Environment

Both

Android Version & Device

N/A - static analysis tool result

Braintree dependencies

versions.toml:

payment-braintree = { group = "com.braintreepayments.api", name = "card", version = "5.0.0" }
payment-braintreePaypal = { group = "com.braintreepayments.api", name = "paypal", version = "5.0.0" }

Describe the bug

We recently updated our app integration from the 4.41.0 version of the SDK to the 5.0.0 version of the SDK. After running the AppSweep static security vulnerability analysis tool, we see a new high severity issue that we believe to be associated with the updated SDK.

Summary:

Data read from json object is used to create a cryptographic key
Data read from json object is used as a sensitive key material during the creation of cryptographic key.

Obtaining key material from insecure sources exposes the cryptographic system to potential compromise and unauthorized access. For instance, in cases when key material is retrieved from web, attackers may intercept it during transmission, leading to breaches in confidentiality of encrypted data.

Finding details

Data flows from String JSONObject.optString(String,String) into SecretKeySpec(byte[],String)

Data from source String JSONObject.optString(String,String)
in String e.h()
(line undefined)

is returned by String NK6.q()
in void i.a(int,MagnesSettings)
(line undefined)

passed via argument 4 of String qL6.s(String,String,long,String)
in void i.a(int,MagnesSettings)
(line undefined)

is propagated through String SK6.c(String) (method not analyzed)
in String i.a(String,String,long,String)
(line undefined)

is propagated through byte[] String.getBytes() (method not analyzed)
in String i.a(String,String,long,String)
(line undefined)

flows into SecretKeySpec(byte[],String)
in String i.a(String,String,long,String)

You can see that even though the code is obfuscated, we can still see a reference to MagnesSettings in the findings detail above, which is a class defined within this SDK.

To reproduce

1. Generate a sample Android app using version 4.41.0 of the Card and PayPal braintree libraries
2. Upload the generated .aab or .apk file to https://appsweep.guardsquare.com/ for static analysis
3. Verify that you don't see a Data read from json object is used to create a cryptographic key high severity issue in the scan results
4. Update the sample app to replace 4.41.0 with 5.0.0 and regenerate .aab / .apk files
5. Upload updated app binary to AppSweep
6. Verify that you now see a Data read from json object is used to create a cryptographic key high severity issue in the scan results

Expected behavior

We should not see this high severity issue in scan results.

Screenshots

Summary:

Expanded Detail (can remove if this if needed):

[sarahkoop]

Hi @kmayoral - Thanks for reporting this issue! There was a change to the internal Magnes SDK version used within the SDK between 4.41.0 and 5.0.0, so are bringing this issue to the Magnes team to investigate.

[kmayoral]

Sounds great, thanks @sarahkoop! Let me know if you'd like to download the second screenshot locally and have me edit it out from the OP. I don't think there are any issues keeping it up, but defer to you there, thanks again.