[Android] APK ships a static PSK used by HMAC/APN token code

[orgorin023]

[Android] APK ships a static PSK used by HMAC/APN token code

Summary

The Android APK (tech.apn, version 1.0.617) includes a fixed 64-byte pre-shared key in res/raw/psk.txt. Static analysis also shows the same APK has code paths referencing psk, PSK not configured, HmacSHA256, X-Apn-Token, and server not recognized (psk=...), so this appears to be part of the APN node/token authentication path rather than an unused asset.

I am intentionally not pasting the full PSK value in this public issue. It is reproducible from the public APK; I can provide the exact value privately if needed.

Environment

• Device: OPPO Reno3 / PCLM50
• Android: 12
• App package: tech.apn
• App version: 1.0.617
• Install source: Google Play (installerPackageName=com.android.vending)
• APK SHA-256: 9e9f8ca3404e8fef59c9f3f6b41464c93ee9d862e5cd997df5dad9f00fc0553b

Reproduction

1. Install APN Android 1.0.617.
2. Locate and pull the installed APK:

adb shell pm path tech.apn
adb pull '/data/app/.../tech.apn-.../base.apk' base.apk

3. Inspect the packaged raw resources:

python3 - <<'PY'
import zipfile
with zipfile.ZipFile("base.apk") as z:
    for name in ["res/raw/psk.txt", "servers.json", "res/raw/gitee.txt", "res/raw/gitverse.txt", "res/raw/jucie.txt"]:
        data = z.read(name)
        print(name, len(data), data.decode("utf-8", "replace"))
PY

Observed:

• res/raw/psk.txt is 64 bytes and contains a fixed hex-looking PSK. Redacted form: a1b2c3d4...e9f0a1b2.
• sha256(res/raw/psk.txt) = 8381e261f574193459e3db639d564565699f8c8cd8fefb4a2540a3372f1a8b88
• servers.json is also packaged in the APK with APN server IPs.

4. Check that the key is not just a dead resource. A DEX string/xref scan shows these references:

res/raw/psk.txt
psk
PSK not configured
PSK must not be empty
HmacSHA256
X-Apn-Token
server not recognized (psk=...)
https://apn.tech/nodes
/servers.json
/raw/master/servers.json.enc

The relevant DEX xrefs include:

LW2/T->l        references "psk" and "PSK not configured"
LW2/F->a        references "HmacSHA256" and "server not recognized (psk=...)"
LW2/F->d        references "HmacSHA256"
LW2/I->i        references "HmacSHA256"
LT2/c->d        references "X-Apn-Token" and "X-APN-Error"
LU2/d->b        references "https://apn.tech/nodes" and "X-Apn-Token"

Expected behavior

A client-side APK should not contain a reusable symmetric PSK if that PSK is intended to authenticate server lists, derive APN tokens, or verify privileged node metadata. Public Android APK contents are available to every user and attacker.

If APN needs to verify server metadata, the APK should embed only a public verification key while the signing key remains server-side. If APN needs per-user authentication, token material should be per-account/per-device and revocable, not a global static PSK.

Actual behavior

The APK ships the same static PSK to every Android user. The APK code also references HMAC/token/server-recognition paths tied to psk, which suggests this value is operationally relevant.

Impact

If this PSK protects APN node metadata, encrypted server lists, or X-Apn-Token generation, any attacker can extract it from the public APK and attempt to:

• reproduce or forge HMAC-protected APN metadata,
• reverse encrypted server-list handling,
• generate tokens that were intended to be app-internal,
• weaken trust in server recognition or private-relocate logic.

I have not attempted to forge requests against APN infrastructure. This report is based on local APK extraction and static analysis only.

Duplicate check

I checked the public tracker for psk, hardcoded, X-Apn-Token, HmacSHA256, pre-shared, token, and apk. I did not find a duplicate hardcoded-PSK report.

Reporter

• GitHub: orgorin023
• Contact: orgorin023@gmail.com