Security Vulnerability Report
Summary
MobSF (Mobile Security Framework) static analysis of a production APK built with huawei_push: 6.14.0+300
reports a HIGH severity security finding in decompiled classes originating from the bundled
Huawei HMS Core SDK.
Affected Package
- Plugin:
huawei_push
- Version tested:
6.14.0+300
- Latest version:
6.15.0+300 (issue persists — no security fix mentioned in changelog)
- Platform: Android
- Flutter version: 3.32.1
Finding Details
| Field |
Value |
| Severity |
HIGH |
| CWE |
CWE-649 |
| OWASP Mobile |
M5 – Insufficient Cryptography |
| MSTG Reference |
MSTG-CRYPTO-3 |
| Tool |
MobSF v4.5.0 |
Description:
"The App uses the encryption mode CBC with PKCS5/PKCS7 padding. This configuration is vulnerable
to padding oracle attacks."
Flagged decompiled files (from APK analysis):
R5/AbstractC2445a.javah5/k.java
These obfuscated class names are not from the Flutter/Dart application code. After searching the
entire lib/ source tree, no AES/CBC usage was found in the app's own Dart code. The finding
originates from the native Huawei HMS Core SDK (.aar) bundled within the huawei_push plugin.
Expected Behavior
The HMS Core SDK should use authenticated encryption (e.g., AES-GCM) instead of AES-CBC with
PKCS5/PKCS7 padding to prevent padding oracle attacks.
Steps to Reproduce
- Add
huawei_push: ^6.14.0+300 to a Flutter project
- Build a release APK (
flutter build apk --release)
- Scan the APK with MobSF v4.0+
- Observe HIGH severity finding: "CBC with PKCS5/PKCS7 padding — vulnerable to padding oracle attacks"
Impact
Any data encrypted by the HMS Core SDK using AES-CBC + PKCS7 padding may be vulnerable to
padding oracle attacks if an attacker can observe padding-related error responses
(CWE-649 / OWASP M5).
Requested Fix
- Replace AES-CBC + PKCS5/PKCS7 with AES-GCM (authenticated encryption) in the bundled
HMS Core SDK, or
- Document if CBC is used only internally in a way that is not exploitable (e.g., no padding
oracle side-channel exists), so developers can provide justification in security audits.
Environment
|
|
| OS |
Android APK |
| Flutter |
3.32.1 |
| Dart SDK |
>=3.8.0 |
| huawei_push |
6.14.0+300 |
| MobSF |
v4.5.0 |
Security Vulnerability Report
Summary
MobSF (Mobile Security Framework) static analysis of a production APK built with
huawei_push: 6.14.0+300reports a HIGH severity security finding in decompiled classes originating from the bundled
Huawei HMS Core SDK.
Affected Package
huawei_push6.14.0+3006.15.0+300(issue persists — no security fix mentioned in changelog)Finding Details
Description:
Flagged decompiled files (from APK analysis):
R5/AbstractC2445a.javah5/k.javaThese obfuscated class names are not from the Flutter/Dart application code. After searching the
entire
lib/source tree, no AES/CBC usage was found in the app's own Dart code. The findingoriginates from the native Huawei HMS Core SDK (
.aar) bundled within thehuawei_pushplugin.Expected Behavior
The HMS Core SDK should use authenticated encryption (e.g., AES-GCM) instead of AES-CBC with
PKCS5/PKCS7 padding to prevent padding oracle attacks.
Steps to Reproduce
huawei_push: ^6.14.0+300to a Flutter projectflutter build apk --release)Impact
Any data encrypted by the HMS Core SDK using AES-CBC + PKCS7 padding may be vulnerable to
padding oracle attacks if an attacker can observe padding-related error responses
(CWE-649 / OWASP M5).
Requested Fix
HMS Core SDK, or
oracle side-channel exists), so developers can provide justification in security audits.
Environment