Bug Hunting: Sensitive information exposed in android strings.xml file

Pravinrp
2 min readOct 12, 2020

--

String.xml is a single location for various strings your application needs. Here every string has a unique id, this id you use in your code to use that string. It is always recommended not to store critical data. Sometimes due to insecure coding practices, some sensitive information might be stored in strings.xml file. When an attacker performs code analysis of the android application, he/she will be able to get hold of such sensitive information which will lead to compromise of application security.

I have identified such sensitive information in one of the android application’s strings.xml file.

In the target android application, the twitter application has been used as an authorization server for Oauth authentication. The target application has been registered in the twitter auth server and the callback URL is “http://****.oauth.****.com"

I have identified the twitter consumer key, secret and callback URL have been disclosed in the strings.xml file.

Description:
Ideally, twitter OAuth 1.0 authentication occurs using consumer key, secret and callback URL. The target application uses these values in order to get request tokens(oauth_token,oauth_secret) from the twitter auth server. Finally, all these values are exchanged for auth_token value. Since consumer key, secret and callback_url are known to the attacker, he/she will be able to manipulate the request tokens and eventually retrieve oauth_token as well.

Below details disclosed in the strings.xml file:
<string name="twitter_callback">http://****.oauth.****.com</string>
<string name="twitter_consumer_key">TV8***************</string>
<string name="twitter_consumer_secret">RQMf**************************</string>

strings.xml file discloses sensitive information

These values are used to below class "com.*****.android.twitter.com.*****.android.twitter":

public void m2****(String str, String str2, String str3, boolean z, Listener listener) {
TwitterOAuthTask twitterOAuthTask;
TwitterOAuthTask twitterOAuthTask2;
if (str == null || str2 == null || str3 == null || listener == null) {
throw new IllegalArgumentException();
}
Boolean valueOf = Boolean.valueOf(z);
synchronized (this) {
twitterOAuthTask = this.f27566a;
twitterOAuthTask2 = new TwitterOAuthTask();
this.f27566a = twitterOAuthTask2;
}
m30457a(twitterOAuthTask);
twitterOAuthTask2.execute(new Object[]{str, str2, str3, valueOf, listener});

Steps:

  1. Download the com.*****.au**** apk file
  2. Open the apk file using any jadx-gui tool
  3. Go to Resources->resources.arsc->values->strings.xml and check for twitter consumer key and values

Impact:

The attacker will be able to manipulate the request token which might lead to auth_token compromise

Supporting Material/References:

Twitter API request for reference
Twitter POST request

If you like the content, please follow me on medium and LinkedIn

LinkedIn: https://www.linkedin.com/in/pravin-r-p-oscp-28497712b/

--

--

Pravinrp

OSCP/Security geek &researcher(Application/infrastructure/Mobile/cloud security)