App tokens and secrets

[sarandafl]

Do you mind sharing how you you were able to get the OAUTH_TOKEN /SECRET, as well as the Salt value? Would be great for future reference and other projects. I assume from a reversed APK? Great work btw!

[information-security]

Dear @sarandafl

Thanks for your feedback and sorry for my late reply.

You are absolutely correct about how I acquired SECRET, SALT, etc. The procedure is generally as below:

1. Download latest version of the target apk from 3rd-party sources such as apkmirror.com.

2. Decompile the APK using any of the tools available out there. I used following steps if I can recall correctly:

   1. Rename .apk extension to .zip.
   2. Extract the archive.
   3. Find the classes.dex file and issue the following command: d2j-dex2jar classes.dex
   4. Open the newly created JAR file (`d2j-dex2jar classes.dex) with the JD-GUI application and voila. You'll see the source codes.
   5. Search for the keywords (secret, password, token, salt, etc.) within the source files. Note: Be creative with choosing the keywords.
   6. You might also use RegEx to find patterns of what you are looking for. For instance, a public key might be stored in the source as a large string value containing random characters or it might also be stored as a byte array of fixed size. You must be creative here again ;-)

3. After finding the required data, you might also analyze the source code to find out what algorithm is used. Then, it would be easy to simulate their authentication mechanism.

Please note that, during the debugging, network monitoring tools such as Wireshark are of great value. You might setup a custom network to be able to monitor every packet that your target APK is sending out or receiving in. Monitoring the packets sent over SSL is also possible but out of scope of this thread.

Hope this helps.