What if I told you there is a simple way to find more API servers, secrets, and endpoints that you probably don’t currently do as part of your recon? Would you want to know about it?

Of course you would. Who wouldn’t?

Have you ever heard the saying, “There’s an app for that”? There has never been a more accurate statement when it comes to API hacking.

Let me explain.

“There’s an app for that.”

We live in a world where mobile computing far outweighs the traditional desktop computing of yesteryears. Mobile apps are being built for everything from dating to data collection. Gaming to gambling. Your phone is a treasure trove of access to pretty much anything.

And you know what? A lot of those mobile apps rely on APIs to run.

And we can use that to our advantage.

Mobile apps built on mobile operating systems like Android make it trivial for us to reverse engineer from their binary packaging format into code that we can review and audit. Even better, there are tools out there that can do this for us.

Let me introduce you to one such tool called apkleaks.

An introduction to apkleaks

When developers want to distribute and install a mobile app to the Android operating system, they must generate a compiled Android Package Kit (APK).

This APK file contains all the necessary components for the app to install and run on an Android device. It includes the application’s compiled source code (converted into Dalvik bytecode), assets, resources, and a manifest file that outlines the app’s permissions, features, and components.

APK files can be easily reversed using tools like Jadx, which is basically a Dex-to-Java decompiler. More interesting to us are tools like apkleaks that take that decompiled output and then scan it for interesting URIs, endpoints, and secrets.

Using apkleaks

Installing apkleaks is simple. Most package managers, such as apt, yum, and brew, have already indexed it and made it available. You can also install it using pip with the command “pip3 install apkleaks“.

Once installed, using it is just as easy.

Use the -f option to point to the APK file you want to scan and then the -o option to set the name of the output file that will hold the results.

But how do you get the APK file in the first place? That’s a great question.

Let’s use a real world example of sourcing and scanning an Android app to extract critical recon data for use in API hacking.

Real world example: Reversing a healthcare app

Let’s go ahead and set the stage. Here in Canada, we are offered a lot of virtual health care. One vendor that offers these services is Telus Health. Last year, there were rumblings on the dark web that their source code may have been stolen and that some of the APIs Telus relies on were used to scrape a whole bunch of internal information relating to staff and customers.

Interesting.

I’m curious about the attack surface of the Telus Health app since I rely on it for my healthcare. So, let’s use that to showcase how to improve our recon with tools like apkleaks.

Step 1: Source the APK

Before we can do anything, we need to get the actual Telus Health mobile app. While it would be possible to download it directly to an Android phone, I want to show you a technique to do this without access to a phone.

There are a few reasons for this.

Reason #1: Access to older versions with legacy endpoints

Improper Inventory Management exists as a vulnerability class in the OWASP API Security Top 10 because developers have a hard time iterating on different versions of an endpoint. It’s not uncommon to see endpoints get deprecated quite quickly between versions.

This is an opportunity for us.

You may want to scan an older version of the app. This can be useful for finding deprecated endpoints that are no longer showing in the latest app but may still exist on the API server.

Reason #2: Selective & conditional blocking

Some mobile apps are only available in certain countries or regions, in certain languages, or for certain versions of an Android device. As such, you might need to find a way to appear to be coming from a different region or downloading for a different device.

Reason #3: Anonymity

When you download an app from the Google Play Store, you have to be logged in with a Google account. This becomes metadata to track which applications you are downloading and using. During an engagement, you might not want that.

While we aren’t being evil here, that doesn’t mean we still don’t want to be anonymous during our engagement.

Whatever your reason is, let me show you how to source and download the APK you want.

Visit the Google Play Store using TOR

Open a new private window using your favorite TOR browser. I will use Brave for this example, but you can use whatever browser you want. Just make sure it is successfully connected to TOR and has an output node in the region you want to appear to be coming from.

Now head to the Google Play Store at https://play.google.com/store/apps.

Search for the app you want

Once in the Play Store, use the search functionality to find your app. Click on it to go to its details page.

You want to pay close attention to the id parameter in the URL. This is what uniquely defines the APK. In my case, it’s com.babylon.telushealth.

Use an APK downloader

Once you know the APK identifier (ID), you can request to download it. There are plenty of different tools for this, so I’ll let you use your favorite Google dorks to find one that fits your needs. I will use an online downloader that can pull different versions directly from apkpure.net, an Android app store that collects current packages and archives old ones.

Using apps.evozi.com, it will deliver to me a zip file with any APKs (even through split packaging that supports multiple configs and languages) along with a manifest. By simply unzipping it, I have access to the APK(s) I need.

Step 2: Run apkleaks

With access to the APK, let’s now try to extract interesting metadata using apkleaks.

apkleaks -f com.babylon.telushealth -o telushealth.txt

You will immediately start seeing it scan the app and try to find secrets and services being used:

Shortly after that, you’ll start seeing links being extracted, pointing to potential API endpoints:

You may also see it extract fully qualified paths to external servers the mobile app depends on. In my case, I can see external services like Google Maps and PayPal, along with some test and staging instances of internal services.

Side Tip: If you are a glutton for punishment, run jadx directly against the APK and dump the whole source tree. From there, you can explore the code in VS Studio or JD GUI. In my case, I found out about special feature flags that make the mobile app work in a different way to access different APIs, giving me some clarity on some of the endpoint paths I saw through apkleaks.

Step 3: Validate that the secrets, endpoints, and servers are valid

Once you have a dump from apkleaks, you should verify that the data extracted is actually valid. I’ll leave that as an exercise for you. For links, you can use something as simple as curl. For secrets, you could use something like nuclei and leverage its token spray templates.

As an example, in my case, I could see a couple of Google API keys. Let’s test them with nuclei.

nuclei -t http/tokenspray -var token=AIzaSyCI0wS69-6XAxCVDKBozccalLz6fRIaCfc

Sure enough… those are valid Google Static Maps API keys hardcoded in the app.

Conclusion

There you have it. In just a few minutes you might be able to find new API servers, secrets, and endpoints that you didn’t find during your initial recon.

Using tools like apkleaks as part of your recon process can quickly return valuable operational intelligence. Even if you aren’t planning to hack the mobile app itself, it’s worth doing to extract more potential recon data to help direct your API hacking efforts.

Give it a try during your next engagement and see what you are able to find.

Good luck!

One last thing…

Have you joined The API Hacker Inner Circle yet? It’s my FREE weekly newsletter where I share articles like this, along with pro tips, industry insights, and community news that I don’t tend to share publicly. If you haven’t, subscribe at https://apihacker.blog.

The post Discovering API secrets & endpoints using APKLeaks appeared first on Dana Epp's Blog.

*** This is a Security Bloggers Network syndicated blog from Dana Epp's Blog authored by Dana Epp. Read the original post at: https://danaepp.com/discovering-api-secrets-endpoints-using-apkleaks