Android apk leaks access token to takeover the whole infrastructure


Hi, everyone

My name is Santosh Kumar Sha, I’m a security researcher from India(Assam). In this article, I will be describing how I was able to Find the production and staging access token leaked by android application and takeover the whole infrastructure .

I am now offering 1:1 sessions to share my knowledge and expertise:

TIP For looking for android bug :

Tools Requried:

  1. gf (tomnomnom) —
  2. grep
  3. apktool

Case# — — Finding hard coded Credential in android apk .

Here is how I get access to the company production and staging server by the access token leaked by android application.

So I was looking for android bug in One of the public bugbounty program . So i download the android application apk file and de-compile and started looking around.

How to download android application:

Suppose “example” the company to look for android application

Just search on Google like these “example android application downloadable”

Command to decompile the android application:

apktool d exaple.apk.

Now I have used grep command to look for base64 encoded string Or you can also used gf tool .

Just navigate to the folder where you have decompile the android apk and search for the hardcoded secret.Here is the command I prefer to search for base64 encoded string.

grep -Hnri “eyJ” * — color

And the out it got it blow up my joy.



After see the output I am like

So i quickly decoded the the base64 encoding string and used those token and I logged into producetion application. And finally able to access the infrastrucure down.


I’m sure that a lot of security researcher had already see there process but this how I approach for find ssrf , and i have reported many in bugbounty program using this process, .I hope this will help to find more apk hardcore credential

That’s one of the reasons why I wanted to share my experience. also to highlight other techniques to exploit such vulnerability.

Support me if you like my work! Buy me a coffee and Follow me on Twitter.

Thanks for reading :)
Stay Safe.



Santosh Kumar Sha (@killmongar1996)

Cloud Security Engineer |Security Researcher |Pentester | Bugbounty hunter | Pentration tester | CTF player |