There are multiple ways for sensitive information leakage in android applications. The most common ones are:
- Hardcoded sensitive information
- Leakage via logcat/debug logs
We have already seen this in the section where we were replicating the cryptographic functions locally. The secret key that's used for crypting purposes is hardcoded in the source code of the application which allowed us to decrypt the encrypted request and responses.
We have been using the application for a while. So, let's check the logs via
In the above image, we can see logs of multiple processes. Our target is to find the logs specific to our application. Search for the Process ID (PID) of the damn vulnerable bank application.
adb shell ps -ef | grep damn
adb logcat output with the process ID (PID) specific to our target application.
adb logcat | grep 5021