@Kishan Kumar (noobie-boy) > Independent Web/Mobile security researcher, bugs hunter and App-Sec Trainer
Hi this is my 2nd Write-up about my Android Hunting and I’m going to share my finding how we can find most critical information inside the APK file I saw most of the hunters like to do dynamic testing using Burp Suite but I want to suggest you something sometimes we have to focus in static testing for finding better flaws.
To keep this write up effective and time-friendly I’ll keep it as short as possible and informative.
The program was about a news agency and their web app and their mobile application. I had managed to get their PII data which is very sensitive by nature including their banking details like bank transactions info, API Keys and much more which were stored in an excel file. I found these excel files via admin panel of the company which were found in their android application through static analysis.
1: Firstly I had downloaded the target apk file.
2: Used Dex2jar tool to change apk into jar.
3: Opened jar file in JD-Gui
4: Then I checked com/target/global/Constants.java file and I got the admin URL from here and the admin panel was having default credentials admin:admin after authentication I used dirbuster for content discovery and I got the below file which were having lots of information and some excel files including banking details.
These are all I can share and the rest are sensitive enough that I can’t share it.
If you have any question or need any help regarding Bug Hunting in Mobile /Web/API
please reach me without any hesitation.