Is AES terrible?

• NO, it is good for back-end encryption of data where the user never has access to the computers memory or files.
• YES, it is terrible for front-end applications where the end user has access to the executable and memory.

AES for front-end

• Can you really not use AES safely in your front-end application? You can make it SAFER, but is it really worth it? My philosophy is that data that is sent to the front-end should NEVER be so sensitive that that you need to encrypt it anyway. You would be better off keeping those things on the back-end.
• ALL local encryption can be broken by disassembling and studying the program function by function until you find where the data is finally decrypted. Once you find where it's decrypted, you can either debug the program and study the registers to find the encryption key, or you can hook the function that is responsible for setting up the decryption and dump the key from it.
• You would be better off using other obfuscation strategies like running your sensitive code in a non-commercial virtual machine.

AES for back-end

• Before storing stuff like tokens or any other sensitive user data, you can safely encrypt it with AES-256.
• As long as nobody has access to your back-end, the stored data is safe.