Lightrun
question-mark
Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

Security issue with cardinal commerce dependency

See original GitHub issue

General information

  • SDK/Library version: cardinalmobilesdk:2.2.3-2
  • Environment: Production
  • Android Version and Device: Not device specific
  • Braintree dependencies: From ./gradlew dependencies:
com.braintreepayments.api:drop-in:4.6.0
+--- com.braintreepayments.api:braintree:3.11.1 -> 3.12.0
|    +--- com.braintreepayments.api:google-payment:3.3.1
|    +--- com.braintreepayments.api:core:3.12.0
|    |    \--- com.braintreepayments:browser-switch:0.2.0 -> com.libon.android.braintreepayments:browser-switch:0.2.0-5+efa3414
|    +--- com.paypal.android.sdk:paypal-one-touch:3.12.0
|    |    +--- com.braintreepayments.api:core:3.12.0 (*)
|    |    \--- com.paypal.android.sdk:data-collector:3.12.0
|    \--- androidx.appcompat:appcompat:1.0.1 -> 1.1.0 (*)
+--- com.braintreepayments:card-form:4.3.0
|    \--- com.google.android.material:material:1.0.0 -> 1.1.0 (*)
+--- com.braintreepayments.api:three-d-secure:3.11.1 -> 3.12.0
     +--- org.jfrog.cardinalcommerce.gradle:cardinalmobilesdk:2.2.3-2

Issue description

The Google Play console shows a warning about our apk:

Your app contains unsafe cryptographic encryption patterns. Please see this Google Help Center article for details.

Vulnerable classes:

d.f.d.a.i.d.b

From our deobfuscation file, we see that this is related to the cardinal commerce library:

com.cardinalcommerce.shared.cs.utils.d -> d.f.d.a.i.d:
    com.cardinalcommerce.shared.cs.utils.a c -> d
    android.content.SharedPreferences b -> a
    com.cardinalcommerce.shared.cs.utils.d a -> c
    com.cardinalcommerce.shared.cs.utils.c d -> b
    1:1:java.lang.String com.cardinalcommerce.shared.cs.utils.a.a(byte[]):0:0 -> b
    1:1:void a(java.lang.String,java.lang.String):0 -> b
    2:2:void a(java.lang.String,java.lang.String):0:0 -> b
    3:3:java.lang.String com.cardinalcommerce.shared.cs.utils.a.a(byte[]):0:0 -> b
    3:3:void a(java.lang.String,java.lang.String):0 -> b
    4:4:void a(java.lang.String,java.lang.String):0:0 -> b
    1:1:java.lang.String com.cardinalcommerce.shared.cs.utils.a.b(byte[]):0:0 -> c
    1:1:java.lang.String b(java.lang.String,java.lang.String):0 -> c
    2:2:java.lang.String b(java.lang.String,java.lang.String):0:0 -> c

Indeed, if you see this com.cardinalcommerce.shared.cs.utils.a.a method in Android Studio, it shows the decompiled code, and it looks exactly like what the google play article is warning about: containing a secret key in the code.

Issue Analytics

  • State:closed
  • Created 3 years ago
  • Reactions:4
  • Comments:13 (4 by maintainers)

github_iconTop GitHub Comments

2reactions
hollabaq86commented, Jul 30, 2020

👋 @calvarez-ov and @jcloquell thanks for bringing this to our attention.

We’re sending this feedback to our MPI provider CardinalCommerce so they can update their SDK. I don’t have an ETA on when we’ll get a new version of Cardinal’s SDK that resolves this warning, so in the meantime we’ll keep this issue open to track updates.

1reaction
sshropshirecommented, Oct 27, 2020

Cardinal provided an update. This should now be fixed in version 3.14.2.

Read more comments on GitHub >

github_iconTop Results From Across the Web

Cardinal Frequently Asked Questions, FAQs
When the merchant is using EMV 3DS and 3DS replay is enabled, EMV 3DS authentication is attempted and if the issuer is not...
Read more >
cardinal-commerce-songbird-staging 1.0.2 vulnerabilities | Snyk
Does your project rely on vulnerable package dependencies? Automatically find and fix vulnerabilities affecting your projects. Snyk scans for vulnerabilities ( ...
Read more >
CardinalCommerce 3-D Secure - Magento DevDocs
CardinalCommerce (a wholly owned subsidiary of Visa) offers a rules-based 3-D Secure (3DS) solution called Cardinal Consumer Authentication.
Read more >
3DS2 Mobile SDK (Android) - Developer Engine - FIS
This guide takes elements from Cardinal (Mobile SDK) and Worldpay (3DS Flex) ... keep class com.cardinalcommerce.dependencies.internal.bouncycastle.
Read more >
Unsafe Cryptographic Encryption error in Android
If you are using the Braintree SDK, this warning is coming from an internal dependency they have on the cardinal commerce mobile SDK....
Read more >

github_iconTop Related Medium Post

No results found

github_iconTop Related StackOverflow Question

No results found

github_iconTroubleshoot Live Code

Lightrun enables developers to add logs, metrics and snapshots to live code - no restarts or redeploys required.
Start Free

github_iconTop Related Reddit Thread

No results found

github_iconTop Related Hackernoon Post

No results found

github_iconTop Related Tweet

No results found

github_iconTop Related Dev.to Post

No results found

github_iconTop Related Hashnode Post

No results found
Previous page

Upgrade cardinal commerce to androidx

Next page

data-collector-3.9.0 contains references to both AndroidX and old support library