Hard-Coded credentials in Android app
2023-3-11 22:31:59 Author: infosecwriteups.com(查看原文) 阅读量:19 收藏

In the Android, application it is a package called apk(android package kit), it is similar to a zip-like format to extract the data from apk, we use apktool and JADX-GUI.

JADX-GUI is a very awesome tool to extract the data from apk and view the decompiled code. If we normally extract the data file, we couldn’t able to read. It is a hard thing to read. Using JADX we can able to easily understand code.

Photo by Denny Müller on Unsplash

Every app had the strings.xml, which is a file used to store the strings in the application package.

How I found the API Key disclosure issue!

  1. Download the apk file from the internet(which app you want to test)

2. Open JADX -> File ->Add File -> Click the test.apk It takes some time to decompile it (depending on your system environment)

3. Scroll Down the left side can able to see Resources -> resources.arsc -> res -> values -> strings.xml

4. Sometimes it may have API Keys, AWS Keys, Default passwords, admin creds, etc

Note:-

If you find any API Key please refer to this git repository to explain the impact

Linkedin : Barath Stalin


文章来源: https://infosecwriteups.com/what-is-in-the-strings-xml-b204b2e9bd67?source=rss----7b722bfd1b8d--bug_bounty
如有侵权请联系:admin#unsafe.sh