Unveiling Hidden AWS Keys In My First Android Pentest
文章描述了一次通过逆向工程分析Android应用的经历,揭示了隐藏在应用中的关键访问密钥,并从中学习到现代移动应用架构的重要差异。 2025-10-17 09:50:19 Author: infosecwriteups.com(查看原文) 阅读量:9 收藏

Press enter or click to view image in full size

Andrew Keitany

We often find our greatest challenges — and lessons — in the most unexpected places. For me, it was during a casual, personal engagement with a client. They had an Android app, and the topic of security came up. While my experience lay elsewhere, the world of Android pentesting had always been a “someday” skill. Seeing this as a catalyst, I decided to dive in headfirst.

What I didn’t expect was to find a critical secret access key buried within the app, a discovery that highlighted a crucial difference in modern mobile application architecture.

The Starting Point: A Fork in the Road

My first step was reconnaissance. Like any good researcher, I started with HackTricks, an incredible resource for offensive security techniques. Armed with some initial methodology, I reached for the essential tool in any Android reverser’s arsenal: apktool.

apktool d TestApp.apk
I: Using Apktool 2.11.1 on TestApp.apk with 8 threads
I: Baksmaling classes.dex...
I: Baksmaling classes2.dex...
I: Baksmaling classes3.dex...
I: Baksmaling classes4.dex...
I: Baksmaling classes5.dex...
I: Loading resource table...
I: Decoding file-resources...
I: Loading resource table from file: /Users/******/Library/apktool/framework/1.apk
I: Decoding values */* XMLs...
I: Decoding…

文章来源: https://infosecwriteups.com/how-my-first-android-pentest-led-to-an-exposed-aws-secret-key-and-how-i-verified-it-caac6e08b1ae?source=rss----7b722bfd1b8d---4
如有侵权请联系:admin#unsafe.sh