The Android application was validating the flag via a native library. This library performed AES CBC encryption of the provided password, and checked it against an expected output. See full write-up.

Original writeup (https://cryptax.github.io/2021/06/14/thcon-goodold.html).