While the weak, preset IV was already reported in August (#60), the app also uses a weak way to derive the key for the encryption. This combination makes the wallet seed very vulnerable.
Here, a single iteration of SHA256 is used to hash the password. At the very least, a construction like PBKDF2 should be used to derive a key. There's also dedicated key derivation functions like argon2 or scrypt that can be used for this, and should be preferred over PBKDF2, but they require external libraries.
Before you answer "but this app is deprecated": Please consider that in order to install the new wallet, you have to sign up for a beta program. Every user who doesn't sign up for the beta program is vulnerable, and has been vulnerable for a very long time. Please consider fixing these issues and pushing a new release to make users of this app secure.
While the weak, preset IV was already reported in August (#60), the app also uses a weak way to derive the key for the encryption. This combination makes the wallet seed very vulnerable.
https://github.com/iotaledger/android-wallet-app/blob/master/app/src/main/java/org/iota/wallet/helper/AESCrypt.java#L40
Here, a single iteration of SHA256 is used to hash the password. At the very least, a construction like PBKDF2 should be used to derive a key. There's also dedicated key derivation functions like argon2 or scrypt that can be used for this, and should be preferred over PBKDF2, but they require external libraries.
Before you answer "but this app is deprecated": Please consider that in order to install the new wallet, you have to sign up for a beta program. Every user who doesn't sign up for the beta program is vulnerable, and has been vulnerable for a very long time. Please consider fixing these issues and pushing a new release to make users of this app secure.