In the Android application ae.index.apgcs version 1.0.2, hardcoded credentials (ACCESS_KEY and HASH_KEY) were discovered in the source file com/index/event/BuildConfig.java. An attacker can extract these keys through reverse engineering and directly call the authenticate_app API to obtain sensitive backend information, including but not limited to FCM server keys, SMTP passwords, Infobip API keys, Elastic email keys, Google reCAPTCHA secrets, and other internal configuration details.
aedes/me/beta/utils/EngageBayUtils.java
3、Use the extracted keys to send a POST request to https://api.index.ae/authenticate_app and retrieve the response.
curl -v -X POST "<https://api.index.ae/authenticate_app>" \\
-H "Content-Type: application/json" \\
-d '{
"access_key": "864293",
"hash_key": "attu88C64IWHRV7aO6N",
"versionName": "1.0.2"
}'
Remove the hardcoded ACCESS_KEY and HASH_KEY from the client-side source code. Immediately revoke and rotate all exposed credentials (FCM server key, SMTP password, Infobip API key, etc.) and move all sensitive API calls to a secure backend server acting as a proxy.
An attacker can extract the hardcoded ACCESS_KEY and HASH_KEY to retrieve sensitive backend secrets, including FCM server keys, SMTP passwords, and Infobip API keys. This could enable the attacker to send malicious push notifications, spoof official emails, and abuse third‑party services, leading to widespread user data theft, financial loss, and severe reputational damage.