GoKawiilOSINT Verified 2026-03-31
Independent decompilation of the Persona Wallet APK v1.14.0 (SDK v2.32.3, built March 11, 2026) and analysis of the web inquiry bundle from cdn.withpersona.com (inquiry-main.js, 1.8MB) reveals the full scope of Persona's surveillance capabilities. The APK was obtained from APKPure and decompiled with jadx 1.5.5. The Roblox APK v2.714.1091 was decompiled separately to confirm the SDK integration. All findings are from publicly available APKs and client-side JavaScript served to every user. New
SDK Hardcoded AES-256-GCM Telemetry Encryption Key
Every copy of the Persona SDK contains a hardcoded AES-256-GCM encryption key in TrackingEventUtilsKt.java line 22:
4ERbfREmnh82jvK5QaXOv8jZ3OQq9hKg5o/Hbb3l9bk=
All telemetry events are "encrypted" with this key before transmission to POST https://tg.withpersona.com/t . Since the key is embedded in every publicly downloadable APK, anyone can decrypt the payloads. The encryption pipeline serializes events to JSON, wraps them as {"events": <json_array>} , encrypts with AES-256-GCM using a 12-byte random IV, then Base64-encodes the ciphertext and sends it as {"e": "<base64_blob>"} . This is obfuscation, not security. A standalone Python decryptor was built and verified in round-trip testing.
Primary source Decompiled from Persona Wallet APK v1.14.0 | jadx 1.5.5 | 2026-03-31 File tracking-events-2.35.2.aar → TrackingEventUtilsKt.java , line 22 SHA-256 048e9971ef932d8dac568b5d5b271e4cacaa443f32049a8dff519bd2dc1154d6 APK package com.withpersona.app.reusablepersonas v1.14.0 (version code 1001380, target SDK 35) APK manifest SHA-256 0daf3d5292e143d4a636e8575810849128e77f491d814d5e058ce68947d16fc1 Reproduce jadx -d out persona-wallet.apk && grep -n "4ERbfREmnh82jvK5" out/**/TrackingEventUtilsKt.java Decompiled source (lines 18–22): public final class TrackingEventUtilsKt { private static final int GCM_TAG_LENGTH_BITS = 128; private static final int GCM_IV_LENGTH_BYTES = 12; private static final int AES_KEY_LENGTH_BYTES = 32; private static final String TEST_OBFUSCATION_KEY = "4ERbfREmnh82jvK5QaXOv8jZ3OQq9hKg5o/Hbb3l9bk=";
SDK Zero Certificate Pinning
The SDK does not implement certificate pinning. The OkHttpClient builder creates a standard client without certificatePinner() . Combined with the hardcoded AES key, a standard MITM proxy with a user-installed CA certificate can capture and decrypt all Persona telemetry from any app that embeds the SDK.
Primary source Decompiled from Persona SDK network-core-2.35.2.aar | jadx 1.5.5 | 2026-03-31 File network-core-2.35.2.aar → NetworkCoreModule.java , lines 185–227 SHA-256 df16712972d5d19d6a71da68aa9fa912257b98c0dbac6c03698fca489b729126 What to look for The okhttpClient() method builds an OkHttpClient without calling certificatePinner() . The builder chain is: addNetworkInterceptor → readTimeout → writeTimeout → connectTimeout → addInterceptor (loop) → build() . No pinning step exists. Reproduce jadx -d out persona-wallet.apk && grep -rn "certificatePinner\|CertificatePinner" out/ - returns zero results Decompiled source (lines 185–227, abbreviated): public final OkHttpClient okhttpClient(...) { OkHttpClient.Builder builderAddNetworkInterceptor = new OkHttpClient.Builder().addNetworkInterceptor(new Interceptor() { public final Response intercept(Interceptor.Chain chain) { // ... adds Persona-Version, Persona-Device-*, VTDGJLGG headers ... return chain.proceed(builderHeader3.build()); } }); TimeUnit timeUnit = TimeUnit.MINUTES; OkHttpClient.Builder builderConnectTimeout = builderAddNetworkInterceptor .readTimeout(1L, timeUnit) .writeTimeout(1L, timeUnit) .connectTimeout(1L, timeUnit); Iterator it = set.iterator(); while (it.hasNext()) { builderConnectTimeout.addInterceptor((Interceptor) it.next()); } return builderConnectTimeout.build(); // No certificatePinner() call anywhere in this chain. }
... continue reading