🎨
Findings
  • Discovered Vulnerabilities
  • Finding Security Vulnerabilities in Android Applications
  • API Endpoints lead to Sensitive Information Disclosure and PII leakage of Employees
  • HTTP Dangerous Methods Enabled - P1
  • Subdomain Takeover
    • Subdomain Takeover
  • XSS
    • XSS on error page
    • Interesting XSS
  • 2FA Bypass
    • Brute-force Protection Bypass
    • Response Manipulation
  • Crazy Account Highjack
  • OAuth Misconfiguration
  • Open Redirect
    • Open Redirect >> XSS
    • Automation
Powered by GitBook
On this page

Was this helpful?

Finding Security Vulnerabilities in Android Applications

Read about how I was able to detect an exposed API key in an android application using my own script and how I exploited it to find the impact.

PreviousDiscovered VulnerabilitiesNextAPI Endpoints lead to Sensitive Information Disclosure and PII leakage of Employees

Last updated 3 years ago

Was this helpful?

This is one of the many vulnerabilities that I have found in Android Applications.

The first thing I do while testing Android apps is running my own bash script on the given apk. I have made the script easy to run, just enter the command: ./apknuke.sh [target].apk

As of now I am only writing about how I found and exploited some leaked google map API keys in two different apps.

API keys and other strings (such as firebase database links) are generally stored in the strings.xml file that can be found in the /res/values/ folder of the decompiled directory after decompiling the app. My tool does this automatically, it decompiles the apk file and searches for such strings (among other things ... checkout its ) using regular expressions (RegEx).

Output of my tool while testing two different applications:

These API keys are found in every android app that uses google maps or other services, but a security issue arises when such keys are not configured properly and are accessible publicly for making API calls.

wget https://raw.githubusercontent.com/ozguralp/gmapsapiscanner/master/maps_api_scanner_python3.py
#create and alias and save it in ~/.bashrc
alias apiscan="python3 [path]/maps_api_scanner_python3.py"
#now apiscan can be run from any directory.

run apiscan and it will ask for the API key to be tested:

The impact here is that this API key is misconfigured and can be publicly used for calling the Geocode service of google maps. This service is a paid one. For every 1,000 requests, the company has to pay $5. For an attacker it is easy to make 100,000 requests at once using Burp intruder (or any other tool), which will cost the company $500 at once, and if the attack is made 100 times a day ...well you can do the math!

The second application that I tested had 2 API keys leaked. The first one was configured perfectly, but the second one was a total opposite.

The API key found was used for 14 paid services and a few of them were quite expensive, making the impact of this vulnerability even higher.

As always, feedback is most welcomed. 😄

To check whether the detected API keys have proper access control, we need to check its validity on each service such as static maps and geocoding etc. This can be done manually using the github repository. But since I am a big automation geek, let me show how I detect whether a google map API key is vulnerable or not using . To setup this tool run:

I have tried my best too keep this tutorial short and simple, but if you wish to learn more about API keys misconfigurations you may read this awesome medium . To detect more of such vulnerabilities in Android Applications feel free to use my tool: . 💯

keyhacks
gmapapiscanner
blog
apknuke
apknuke
features
1
2
Vulnerability Detected