Reddit’s app is a joke, so is its code. (Actual reverse-engineered code)

[text] VAt libredditndk.so Hide stuff in native library Nobody can ever read native code no matter how simple Put a dummy parameter in the calls from the Kotlin code so people will think something deep is going on KeyUtil.decryptSigningKeya0clel77d7afd4faaa3ee14f6ef712917c576a33dccd7381c63fed3312658bd8 Actually always returns 8c7abaa5f905f70400c81bf3alal01e75f7210104b1991f0cd5240aa80c4d99d jstring JavacomredditauthcommonutilKeyUtildecryptSigningKeyJINIEnv env jclass unused jstring fakeandunused char keystr char malloc66 Malloc Its just 66 bytes use a local variable stupid. forint 1 0 1 65 i keystri maplkeyil A substitution cipher.. height of cryptography in the year 300 BC. keystr65 0 Nullterminate the string return envNewStringUTFenv keystr Native memory allocations arent garbagecollected idiots you need to call free Now youre leaking memory on every single API request Visd String parameter is ignored always returns s3ybk2jbEg4BmxQqvqgXoGs3AQUHUH8Y KeyUtil.decryptGiphyApiKey uty893a3d7afd4faaa3ee14f6ef712917c576a33dccd7381c63fed331scukko8 On the Kotlin side we just change a few chars at the start and end of the dummy string surely nobody will notice the encrypted parameters are remarkably similar jstring JavacomredditmediacommonapikeysKeyUtildecryptGiphyApiKeyINIEnv env jclass unused jstring fakeandunused char keystr char malloc34 Again with the same stupidity forint 1 0 1 33 i keystri giphymapgiphykeyi GE 0 return envNewStringUTFenv keystr Again the same bug.