In the Android, application it is a package called apk(android package kit), it is similar to a zip-like format to extract the data from apk, we use apktool and JADX-GUI.

JADX-GUI is a very awesome tool to extract the data from apk and view the decompiled code. If we normally extract the data file, we couldn’t able to read. It is a hard thing to read. Using JADX we can able to easily understand code.

Every app had the strings.xml, which is a file used to store the strings in the application package.

How I found the API Key disclosure issue!

1. Download the apk file from the internet(which app you want to test)

2. Open JADX -> File ->Add File -> Click the test.apk It takes some time to decompile it (depending on your system environment)

3. Scroll Down the left side can able to see Resources -> resources.arsc -> res -> values -> strings.xml

4. Sometimes it may have API Keys, AWS Keys, Default passwords, admin creds, etc

Note:-

If you find any API Key please refer to this git repository to explain the impact

Linkedin : Barath Stalin