Android apk leaks access token to takeover the whole infrastructure

Hi, everyone

My name is Santosh Kumar Sha, I’m a security researcher from India(Assam). In this article, I will be describing how I was able to Find the production and staging access token leaked by android application and takeover the whole infrastructure .

TIP For looking for android bug :

Tools Requried:

  1. gf (tomnomnom) — https://github.com/tomnomnom/gf
  2. grep
  3. apktool

Case# — — Finding hard coded Credential in android apk .

Here is how I get access to the company production and staging server by the access token leaked by android application.

So I was looking for android bug in One of the public bugbounty program . So i download the android application apk file and de-compile and started looking around.

How to download android application:

Suppose “example” the company to look for android application

Just search on Google like these “example android application downloadable”

Command to decompile the android application:

apktool d exaple.apk.

Now I have used grep command to look for base64 encoded string Or you can also used gf tool .

Just navigate to the folder where you have decompile the android apk and search for the hardcoded secret.Here is the command I prefer to search for base64 encoded string.

grep -Hnri “eyJ” * — color

And the out it got it blow up my joy.

Output:

r�5.6.4p3
m��%�I�$4���v�A�global.assets-Production_accessssConfig0eyJUa………….

After see the output I am like

So i quickly decoded the the base64 encoding string and used those token and I logged into producetion application. And finally able to access the infrastrucure down.

Takeaway

I’m sure that a lot of security researcher had already see there process but this how I approach for find ssrf , and i have reported many in bugbounty program using this process, .I hope this will help to find more apk hardcore credential

That’s one of the reasons why I wanted to share my experience. also to highlight other techniques to exploit such vulnerability.

Support me if you like my work! Buy me a coffee and Follow me on Twitter.

Thanks for reading :)
Stay Safe.

https://twitter.com/killmongar1996

--

--

--

Like to hack and break security code and denfense |Security Researcher |pentester | Bugbounty hunter | Pentration tester | CTF player | BUGBOUNTY

Love podcasts or audiobooks? Learn on the go with our new app.

Recommended from Medium

5. Thonny

Envoy Proxy on Windows Containers

Envoy on Windows Containers demo architecture

Why we use Ctrl-C and Ctrl-V to cut and paste

Create High Availability Architecture with AWS CLI

Clearing the cloud practitioner certificate

Starlink Satellite SMS Notifications With Python, Kubernetes, and Twilio

Matrix AI Network Contracts — Part 2 Reading a smart contract function (JS, NodeJS)

Developer Advocate Journal #2

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Santosh Kumar Sha (@killmongar1996)

Santosh Kumar Sha (@killmongar1996)

Like to hack and break security code and denfense |Security Researcher |pentester | Bugbounty hunter | Pentration tester | CTF player | BUGBOUNTY

More from Medium

Parameter Pollution - Zero Day

Exposing Millions of Investor and Startup Register details and PII INFO in STARTUPINDIA (Govt of…

CSRF prevention: Control your TLDs

Hacking into Admin Panel of U.S Federal government system : C.A.R.S -without credentials.