Android apk leaks access token to takeover the whole infrastructure

Hi, everyone

My name is Santosh Kumar Sha, I’m a security researcher from India(Assam). In this article, I will be describing how I was able to Find the production and staging access token leaked by android application and takeover the whole infrastructure .

TIP For looking for android bug :

Tools Requried:

  1. gf (tomnomnom) — https://github.com/tomnomnom/gf
  2. grep
  3. apktool

Case# — — Finding hard coded Credential in android apk .

Here is how I get access to the company production and staging server by the access token leaked by android application.

So I was looking for android bug in One of the public bugbounty program . So i download the android application apk file and de-compile and started looking around.

How to download android application:

Suppose “example” the company to look for android application

Just search on Google like these “example android application downloadable”

Command to decompile the android application:

apktool d exaple.apk.

Now I have used grep command to look for base64 encoded string Or you can also used gf tool .

Just navigate to the folder where you have decompile the android apk and search for the hardcoded secret.Here is the command I prefer to search for base64 encoded string.

grep -Hnri “eyJ” * — color

And the out it got it blow up my joy.

Output:

r�5.6.4p3
m��%�I�$4���v�A�global.assets-Production_accessssConfig0eyJUa………….

After see the output I am like

So i quickly decoded the the base64 encoding string and used those token and I logged into producetion application. And finally able to access the infrastrucure down.

Takeaway

I’m sure that a lot of security researcher had already see there process but this how I approach for find ssrf , and i have reported many in bugbounty program using this process, .I hope this will help to find more apk hardcore credential

That’s one of the reasons why I wanted to share my experience. also to highlight other techniques to exploit such vulnerability.

Support me if you like my work! Buy me a coffee and Follow me on Twitter.

Thanks for reading :)
Stay Safe.

https://twitter.com/killmongar1996

--

--

--

Like to hack and break security code and denfense |Security Researcher |pentester | Bugbounty hunter | Pentration tester | CTF player | BUGBOUNTY

Love podcasts or audiobooks? Learn on the go with our new app.

Recommended from Medium

Data Visualization

SWEET PARTNERSHIP(HONEYBEAR AND ARKENFINANCE)

Starting Out with SQL — Part 1

Email Automation in Python: Sending These 3 Types of Emails Effortlessly

Email Automation in Python: Sending These 3 Types of Emails Effortlessly

Availium Development Log #1

Sticky tape and string: Learning faster from TripAdvisor reviews

Why I ditched Roam Research and logseq as Tools for Writing

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Santosh Kumar Sha (@killmongar1996)

Santosh Kumar Sha (@killmongar1996)

Like to hack and break security code and denfense |Security Researcher |pentester | Bugbounty hunter | Pentration tester | CTF player | BUGBOUNTY

More from Medium

XSS - The LocalStorage Robbery

No Rate Limiting on OTP sending

Gold Bug Bounty Resources in 2022 | Web Application, Android & iOS Security

Pentesting Android Applications-Part 1-Basic Setup