Insecure Data Storage: Clear Text Storage of Sensitive Information (Hard-coded strings, credentials, tokens & keys)
Before we get started, we need to have the apk which can be extracted from the device by installing the application through the play store or by downloading the apk from online sources.
For practical, we will be looking for hardcoded google api key.
Now, let’s start analyzing the application by opening it in Jadx (check this post to setup this tool)
Note: Most of the cases, the hardcoded secrets will be found in AndroidManifest.xml and Strings.xml and make sure you check raw folder as well for the secrets.
so if you go through the resources.arsc/res/values/strings.xml file we will be able to find the google api key as shown.
But, we have no idea about the key and whether it is valid or not.
so let us use KeyHacks, it shows the way to check if the keys we found are valid keys which leaks sensitive information and valid ways in which particular API keys can be used.
Goto KeyHacks and search for google and found multiple services available for api key, so i replaced key_here keyword in the service urls and check for the response.
I got this error, for few services by which i assume i’m authorized to use this service but not from this ip address i,e referer restriction.
while browsing the code, i came across this one ongoing request that had two unique headers which caught my attention. They were:X-Android-Cert and X-Android-Package
X-Android-Cert contains app’s certificate hash in SHA1. To check it out:-
Extract the apk using an archive manager and select /META-INF which contains the certificate file. To view information related to certificate use keytool.
keytool -printcert -file CERT.RSA
The second header is pretty descriptive with the name X-Android-Package. It is the package name of the apk - com.redacted.app
add both the headers in the request of google APIs to see if the authorization can be bypassed.
