# Finding Security Vulnerabilities in Android Applications
This is one of the many vulnerabilities that I have found in Android Applications.
The first thing I do while testing Android apps is running my own bash script [apknuke ](https://github.com/utkarsh24122/apknuke)on the given apk.\
I have made the script easy to run, just enter the command: `./apknuke.sh [target].apk`
As of now I am only writing about how I found and exploited some leaked google map API keys in two different apps.
API keys and other strings (such as firebase database links) are generally stored in the strings.xml file that can be found in the /res/values/ folder of the decompiled directory after decompiling the app.\
My tool does this automatically, it decompiles the apk file and searches for such strings (among other things ... checkout its [features](https://github.com/utkarsh24122/apknuke#features-)) using regular expressions (RegEx).
Output of my tool while testing two different applications:
These API keys are found in every android app that uses google maps or other services, but a security issue arises when such keys are not configured properly and are accessible publicly for making API calls.
To check whether the detected API keys have proper access control, we need to check its validity on each service such as static maps and geocoding etc. This can be done manually using the [keyhacks](https://github.com/streaak/keyhacks#google-maps-api-key) github repository. \
But since I am a big automation geek, let me show how I detect whether a google map API key is vulnerable or not using [*gmapapiscanner*](https://github.com/ozguralp/gmapsapiscanner/)*.* \
To setup this tool run:
```
wget https://raw.githubusercontent.com/ozguralp/gmapsapiscanner/master/maps_api_scanner_python3.py
#create and alias and save it in ~/.bashrc
alias apiscan="python3 [path]/maps_api_scanner_python3.py"
#now apiscan can be run from any directory.
```
run apiscan and it will ask for the API key to be tested:
The impact here is that this API key is misconfigured and can be publicly used for calling the Geocode service of google maps. This service is a paid one. For every 1,000 requests, the company has to pay $5.\
For an attacker it is easy to make 100,000 requests at once using Burp intruder (or any other tool), which will cost the company $500 at once, and if the attack is made 100 times a day ...well you can do the math!
The second application that I tested had 2 API keys leaked. The first one was configured perfectly, but the second one was a total opposite.
The API key found was used for 14 paid services and a few of them were quite expensive, making the impact of this vulnerability even higher.
I have tried my best too keep this tutorial short and simple, but if you wish to learn more about API keys misconfigurations you may read this awesome medium [blog](https://ozguralp.medium.com/unauthorized-google-maps-api-key-usage-cases-and-why-you-need-to-care-1ccb28bf21e). \
To detect more of such vulnerabilities in Android Applications feel free to use my tool: [apknuke](https://github.com/utkarsh24122/apknuke). 💯
As always, feedback is most welcomed. 😄
---
# Agent Instructions: Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.
Perform an HTTP GET request on the current page URL with the `ask` query parameter:
```
GET https://utkarsh24122.gitbook.io/findings/finding-security-vulnerabilities-in-android-applications.md?ask=
```
The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.
Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.