Mobis3c
Published in

Mobis3c

Insecure Data Storage: Clear Text Storage of Sensitive Information (Hard-coded strings, credentials, tokens & keys)

Before we get started, we need to have the apk which can be extracted from the device by installing the application through the play store or by downloading the apk from online sources.

For practical, we will be looking for hardcoded google api key.

Now, let’s start analyzing the application by opening it in Jadx (check this post to setup this tool)

Note: Most of the cases, the hardcoded secrets will be found in AndroidManifest.xml and Strings.xml and make sure you check raw folder as well for the secrets.

so if you go through the resources.arsc/res/values/strings.xml file we will be able to find the google api key as shown.

jadx

But, we have no idea about the key and whether it is valid or not.

so let us use KeyHacks, it shows the way to check if the keys we found are valid keys which leaks sensitive information and valid ways in which particular API keys can be used.

Goto KeyHacks and search for google and found multiple services available for api key, so i replaced key_here keyword in the service urls and check for the response.

google api response

I got this error, for few services by which i assume i’m authorized to use this service but not from this ip address i,e referer restriction.

while browsing the code, i came across this one ongoing request that had two unique headers which caught my attention. They were:
X-Android-Cert and X-Android-Package

unique headers

X-Android-Cert contains app’s certificate hash in SHA1. To check it out:-

Extract the apk using an archive manager and select /META-INF which contains the certificate file. To view information related to certificate use keytool.

keytool -printcert -file CERT.RSA
keytool

The second header is pretty descriptive with the name X-Android-Package. It is the package name of the apk - com.redacted.app

add both the headers in the request of google APIs to see if the authorization can be bypassed.

After bypassing the restriction

--

--

--

Let us protect smartphones, tablets, laptops and other portable computing devices, and the networks they connect to, from threats and vulnerabilities associated with wireless computing.

Recommended from Medium

A Clear Shift in 2020 IT Priorities Across the Prairies

Wunzo NFTs | Board Games

インディーコレクションJAPAN #12: ラインナップ発表 — Indie Collection Japan #12: Lineup announcement

Learning to Code — Part 4e: Conditionals and Loops — Basic Calculator

Writing Fast to Disk in C++

REPL Driven Development (RDD)

How to Create EC2 Instance in AWS

Flutter Integration with Docker

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Kal

Kal

Security Enthusiast

More from Medium

Mobile Static Analysis using Scrounger Framework

LDAP Injection: From a Developer’s Perspective

Proxy Agent — a tool for mobile penetration testers!

Multiple HTTP Redirects to Bypass SSRF Protections