2. Sensitive Information Disclosure

Methods to find a bug

Rough Note :

1. Hard coded credentials, api keys
2. keys are in cryptography and look like session id
3. id,api,key,cred,uname,pass,db,url,uri,aws pool id = common keys

res -> values -> strings.xml = check for keys 
manifest.xml -> check for keys 
all files -> Check for keys to search in all files

Steps :-
1) open Jadx
2) adb pull apk.apk
3) loading apk file
4) Decompiling apk
5) Search keys (random process)
6) go to res/values/strings.xml and Androidmanifest.xml


key = api ,key ,db , cred ,uname ,pass , url , uri

Exploit this Vulnerability Using this Repo:

https://github.com/streaak/keyhacks

Previous1. Manifest Misconfiguration Next3. Firebase db url misconfigure

Last updated 1 year ago