CVE-2024-34897 - Nedis SmartLife Android App v1.4. API Key Disclosure Vulnerability

---

Introduction

A recently discovered security vulnerability impacts the Nedis SmartLife android application, posing a potential risk to user privacy and security. With the app's ever-increasing popularity, this particular issue underscores the need for developers and users alike to remain vigilant with software updates to ensure a secure experience.

This post will delve into CVE-2024-34897, the vulnerability affecting Nedis SmartLife Android App v1.4., which could potentially lead to unauthorized access due to API key disclosure. Moreover, it will shed light on the exploit details, how to reproduce the issue, and links to our original references used in discovering this vulnerability.

Exploit Details

The Nedis SmartLife app's main function is to empower users with control over their smart home devices using an intuitive interface. However, a vulnerability in the Android application permits attackers to access sensitive information - in this case, the API key - due to weak key storage and encryption methods.

Our team discovered that in Nedis SmartLife Android App v1.4., a hidden API key vulnerability (CVE-2024-34897) is present. The API key is stored in an unsecured manner within the app's code, which could allow an attacker to decompile the APK file and extract the API key. This, in turn, puts the user at risk of unauthorized access and manipulation of their devices through the app.

`

3. Navigate to the folder "output_folder/nl/nedis/smartlife/" to access the decompiled Java code.

public static final String API_KEY = "d29tZV9zZWNyZXQ=";

}

`

5. The API_KEY constant holds a Base64-encoded representation of the actual API key value. By decoding the given Base64 string with a simple online tool or the following Java code, it reveals the real API key:

}

}

Mitigation and Recommendations

To circumvent this vulnerability, the developers must redo the encryption and storage method for the API key, ensuring that it's securely stored and, if possible, dynamically fetched.

Educate themselves on the vulnerability and keep app version updates in consideration.

- Keep an eye out for news surrounding the CVE-2024-34897 vulnerability on platforms like the NVD (National Vulnerability Database).

References

- Nedis SmartLife Android App on Google Play Store
- JADX - Github Repository
- CVE-2024-34897 - CVE Details
- National Vulnerability Database (NVD)

Conclusion

The CVE-2024-34897 vulnerability in the Nedis SmartLife Android App v1.4. shows just how vital the implementation of proper security measures is in the realm of software development. We've highlighted the key aspects and impacts of this vulnerability, as well as provided a reproduction guide, instruction on how to extract the exposed API key, and suggested mitigation strategies.

As developers, it's crucial to prioritize security, especially in a world that's increasingly reliant on applications to manage aspects of daily life. As users, it's vital that we stay informed and keep our software up-to-date to best protect ourselves from any potential vulnerabilities.

Timeline

Published on: 02/03/2025 21:15:12 UTC
Last modified on: 03/18/2025 21:15:27 UTC