Sensitive Information Disclosure in Mobile Application

Rahul Kadavil
2 min readDec 7, 2022

--

Most of the bug bounty program consist of Android/iOS application within their scope. These are some of the scope which are less tested. Here I will describe few easy information disclosure vulnerability you can identify in both Android/iOS

1. Hard-coded Credentials

One of the common issues identified in Android/iOS. These apps contain hard-coded data such as credentials, API-key and token. Always verify whether these are sensitive and have impact then only report it because most of the time it will be False positives. Use Keyhacks by streaak for generating POC: https://github.com/streaak/keyhacks/blob/master/README.md

You can easily find it using a simple grep search.

Reports: https://hackerone.com/reports/440629

https://hackerone.com/reports/351555

Android Hard-coded Credentials Check:

1. Decompile the apk file using apktool: apktool d filename.apk

2. cd to the decompiled folder

3. Perform grep search within the folder grep -Hnri keyword

4. Other files within the folders such as assets, AndroidManifest.xml, raw/xml, strings.xml might contain sensitive information

iOS Hard-coded Credentials Check:

1. Rename the ipa file to zip and extract it

2. cd to the folder and do grep search grep -Hnri keyword

2. Sensitive information in Logs:

Both Android and iOS application collects logs from the user device to do analytics and stuff. Sometime the log might contain sensitive information, there are instance where user credentials, token and other sensitive information is stored in logs. The log generated by application is world-readable meaning any application an read the logs leading to sensitive information disclosure.

Reports: https://hackerone.com/reports/5314

Android Application Logs

1. Install the app in device and connect your device to your Laptop

2. Start using the application

3. Open terminal and use the adb command: adb logcat | grep -i appname

4. This will help to capture the logs for that particular application

iOS Application Logs

1. Install the app in device and connect your device to your mac

2. Open console application in you mac

3. Select your iOS device and search for the app name

3. Sensitive Information in Storage files

Check for the databases, shared preferences and config files within application directory for both Android (/data/data/app-name) and iOS. Sensitive information such as credentials and secrets will be stored here

--

--