Skip to content

Instantly share code, notes, and snippets.

@Exadra37

Exadra37/00-README.md

Last active August 8, 2021 16:35
Show Gist options
  • Star 2 You must be signed in to star a gist
  • Fork 1 You must be signed in to fork a gist
  • Save Exadra37/f57f3f07e7c3ca098cf4db60cbe882fc to your computer and use it in GitHub Desktop.
Save Exadra37/f57f3f07e7c3ca098cf4db60cbe882fc to your computer and use it in GitHub Desktop.
Download ZIP
Raw
00-README.md

HOW TO EXTRACT AN API KEY FROM A MOBILE APP WITH STATIC BINARY ANALYSIS

You can read the blog post here.

TLDR

An API key is probably the most common method used by developers to identify what is making the request to an API server, but most developers are not aware how trivial is for a hacker or even a script kid to steal and reuse an API key for unauthorized access to their APIs.

We will see how to grab an API key by reverse engineering the binary of a mobile app in an effective and quick way with an open source tool, and once we see how easy it can be, we will realize why it is even achievable by non developers.

Raw
01-mobsf.sh
#!/bin/bash
docker run -it --name mobsf -p 8000:8000 opensecurity/mobile-security-framework-mobsf
Raw
02-strings-pipe-to-grep.md 
$ strings -aw lib/x86/libnative-lib.so | grep -in -C 1 'JNI_API_KEY' -

$ strings -aw lib/x86/libnative-lib.so | grep -in -C 1 'API' -

$ strings -aw lib/x86/libnative-lib.so | grep -in -C 1 'yDbx5R+a6zJ3H76iU9YB9U0GY6DjZ4FiWFb8vCMCdLg=' -

932-[^_]

933:yDbx5R+a6zJ3H76iU9YB9U0GY6DjZ4FiWFb8vCMCdLg=

934-cannot allocate __cxa_eh_globals
Raw
03-strings-output-example.md 
$ strings -aw lib/x86/libnative-lib.so
Android
5232133
__cxa_atexit
LIBC
libc.so
libnative-lib.so
__cxa_finalize
__stack_chk_fail
Java_com_criticalblue_androidhidesecrets_MainActivity_stringFromJNI

- - -> omitted output < - - -

[^_]
9V
t$
u
9V
u
[^_]
[^_]
yDbx5R+a6zJ3H76iU9YB9U0GY6DjZ4FiWFb8vCMCdLg=
cannot allocate __cxa_eh_globals
std::__libcpp_tls_set failure in __cxa_get_globals()
execute once failure in __cxa_get_globals_fast()
cannot create thread specific key for __cxa_get_globals()
cannot zero out thread value for __cxa_get_globals()

- - -> omitted output < - - -

St8bad_cast
St10bad_typeid
;*2$"
zPLR
Android (5058415 based on r339409) clang version 8.0.2 (https://android.googlesource.com/toolchain/clang 40173bab62ec746213857d083c0e8b0abb568790) (https://android.googlesource.com/toolchain/llvm 7a6618d69e7e8111e1d49dc9e7813767c5ca756a) (based on LLVM 8.0.2svn)
GCC: (GNU) 4.9.x 20150123 (prerelease)
gold 1.12
.shstrtab
.note.android.ident
.note.gnu.build-id

- - -> omitted output < - - -
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment