Android App "Spoon" uses a hard-coded API key for an external service


Android App "Spoon" provided by Spoon Radio Japan Inc. uses a hard-coded API key for an external service (CWE-798).

Yoshihito Sakai of BroadBand Security, Inc reported this vulnerability to IPA.
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
CVSS Severity (What is CVSS?)

CVSS V3 Severity:
Base Metrics 4.0 (Medium) [IPA Score]
  • Attack Vector: Local
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
  • Confidentiality Impact: Low
  • Integrity Impact: None
  • Availability Impact: None
CVSS V2 Severity:
Base Metrics 2.1 (Low) [IPA Score]
  • Access Vector: Local
  • Access Complexity: Low
  • Authentication: None
  • Confidentiality Impact: Partial
  • Integrity Impact: None
  • Availability Impact: None
Affected Products

Spoon Radio Japan Inc.
  • Android Spoon application version 7.11.1 to 8.6.0


The hard-coded API key may be retrieved when the application binary is reverse-engineered.
This API key may be used for unexpected access of the associated service.

Note that the application users are not directly affected by this vulnerability.

[Update the Application]
Update the application to the latest version according to the information provided by the developer.
This vulnerability has been fixed in Android Spoon application version 8.6.1 or later.
Vendor Information

Spoon Radio Japan Inc.
CWE (What is CWE?)

  1. No Mapping(CWE-Other) [IPA Evaluation]
CVE (What is CVE?)

  1. CVE-2024-23453

  1. JVN : JVN#96154238
  2. National Vulnerability Database (NVD) : CVE-2024-23453
Revision History

  • [2024/01/23]
      Web page was published
  • [2024/01/24]
      Overview was modified
  • [2024/03/14]
      References : Content was added