Looking for Secrets in Disassembled Android APKs (I found one)
ฝัง
- เผยแพร่เมื่อ 29 ก.ย. 2024
- Pretty easy to get Java source from APKs, even easier to find interesting stuff. Just gotta look around a little bit.
Decompiler:
github.com/sky...
Hope you enjoyed the video!
Join my Discord server and come say hi:
/ discord
Check out some code on my GitHub:
github.com/rea...
github.com/eng...
Send me a Gab:
gab.com/engine...
Other Social:
/ engineerman
/ _engineerman
/ engineermanyt
doing what every programmer does
ignoring error messages
I saw that too. LOL!
Are there decompilers for everything? Often times I do open up files and it's just non-readable garbage. How do you know which decompiler to use?
I believe that for Java it's easy because bytecode is structuraly simillar to source, so Java decompiles are quite readable. On the other hand C/C++'s output machine code is nowhere near close to source so a decompiler cannot do a great job and outputs non-readable garbage
@@mikeuk1927 You can decompile it to x86 assembly tho
Can you do a video about bypassing ssl/tls certificate pinning? Monitoring API calls from Android app.
I actually watched this video because a popular baby monitor app doesn't have a public api, and I want to pull the apk apart to get access to the video feed from my wifi camera from them and the sensor data
@@Acceleratedpayloads you can try packet capture app to see if they use ssl/tls pinning. If they don't, you can see all their API calls. Otherwise you will need to do a bypass.
@@jasonl8391 Thanks! I'll probably just do it an an android vm or something.
I'd love to see more disassembly videos!
Just curious, did you contact pz64 and let them know about this before you uploaded the video?
I did not. If this were an actual damaging leak of secrets then I wouldn't have uploaded it in the first place. Everything that can be done with that key could also just be done by using his app. The intent here is to demonstrate concepts on a live example without creating a live security incident.
Why
For those who wants to read TLS data use old android os like 4.4 with burpsuite and custom certificate. Thanks me later 😂😂😛
you are so calm boi!
Bro how did u gain so much knowledge?
Wdym? These are just normal stuffs
You are amazing
i guess they are just very good at rtfm
Just brilliant as always!
You can extract an APK from your phone with ADB
Thanks for de video man, great content!
ty, you helped me to go against the internet Laws and decompile an app's apk to actually hurt the app's company, here is a LIKE for you
Seems like you started bug hunting.
My man your videos are super cool!
Loving the increased frequency in pushing out quality content! :)
Can you try doing this but this time try it with the google API key, we literally put those in the app's source code?
u shouldn't have, lol
@@nadir2k do you develop mobile apps? Do you understand and have experience about this?
They're using AsyncTask, did you expect them to hide their api key? 😂
how you find out there ip address so you will have a since where they been working from
i'm just curious about your files i mean how do you manage them you have only numbers on them
VERY IMPRESSIVE, Great Job!!!
Android studio can decompile APKs
That fact that u pointed out how sus the sites are
What's TLS? And how does it hide the endpoint? Isn't the endpoint just a string?
I thought TLS encrypts content but has nothing to do with hiding the endpoint's plain text string like something_api.php?
TLS encrypts the entire payload including URL, headers, and body. The only thing that is visible is that the phone connected to some IP address which isn't super useful or informative on its own.
@@EngineerMan Thank you
@@EngineerMan Do you have a video or a stream where you talk about DDOSing and protecting from it? In many of your video (especially about scammers) you simply use their urls to flood their websites with requests. Isn't there a protection against this? I'm not trying to create a scamming website, but just want to protect my client-server communication side project. Thanks again
He must have gone to harvard
Wait I'm a bit confused about how can we protect our apps from this? You said we could create our own api, with our own api key, but can't they also get this new api key too?
His idea was that you would create your own server as a middleman between your app and the endpoint e.g. twitter. So the communication would go as app -> your server -> twitter. Since the twitter api key is in your web server, the end user does not have access to it.
@@mihainov i still don't understand, am I missing something?
If the communication goes like this:
App -> my server -> twitter, wouldn't they be able to do the exact same thing that EM did in this video? Like they would be able to make a request using something like postman and get their data from there? Sorry if I'm being repetitive but I'm a bit confused
@@qwerasdfhjkio If the API key is in the web server, people can still disassemble the app like in the video, but they won't find the "twitter api key" since it will be in the web server. End users will not be able to disassemble the web server. If you make a request with postman to the web server, you still won't find out what the API key is. The web server will include the API key only when it sends a request to twitter,com, but it won't include the API key when it communicates with the Android app (or postman).
@@mihainov Another benefit would be that if you change your account, then you should only deploy on your server, it will be unnoticeable for the user
@@mihainov I think this makes sense, just wondering, the part where you said:
"The web server will include the API key only when it sends a request to twitter,com, but it won't include the API key when it communicates with the Android app"
How do we do this? (Even if you just link some resources instead of expalin that's fine too)
Big brain time
Thank you.
98 views
Brother you make a block chain of programmers like you by teaching them on daily basis from basic to the edge that goes far beyond ..I am constant watcher and I admire your knowledge and creativity great Respect 🙌💯
Thanks!
banger
Nice
You should mention APK Mirror, probably the most reliable APK site.
all users are talking to the api via the private api key anyways, I don't understand how it helps let the app users talk through an own api to the actual api
It's protection. You don't have to expose all endpoints present in original api. Imagine that a web app frontend instead of talking to the backend which in turn talks to the database server, directly talks to the database server. You don't want users to be able to access your sql directly. I guess it's simillar here
@@mikeuk1927 of course, thank you, this absolutely makes sense. I actually don't know why I didn't think of it
I am sorry man ❤️ i really wanted to listen to you 🥺 but i am in tha "Hello world"✝️
First viewer here.
Frist comment
why do you always say "he or him" and never a "she or her". Please learn your pronouns.
She is just being realistic, please be reasonable.
92% of software engineers are men, saying she instead of he is just pandering.
Yeah, no, I'm gonna go ahead and say whatever I want. I'm assuming this is a troll post though.