Let’s know How I have explored the buried secrets in Xamarin application

Let’s know How I have explored the buried secrets in Xamarin application

In my previous write-up I explain the React Native reverse engineering technique. Again I have found a bug in Xamarin based application that was found by a different approach instead of old reverse engineering methodology.

In _**_m[y previous write-up](https://secureitmania.medium.com/lets-know-how-i-have-explored-the-buried-secrets-in-react-native-application-6236728198f7)_I explain the _React Native_ reverse engineering technique. Again I have found a bug in _Xamarin**_ based application that was found by a different approach instead of old reverse engineering methodology._

Introduction:

Xamarin is a free and open source mobile app platform for building native and high-performance iOSAndroid, tvOS, watchOS, macOS, and Windows.

Old-fashioned way of Android Reverse Engineering

Typically, when reversing an Android application, it is de-compiled using apktool, dex2jar and then analyzed using JD-GUI. When dealing with Native applications, this can be useful if the application has any native code that you would like to analyze.

But most of the time, the core logic of the application lies in the “.dll” that can be obtained without needing to use dex2jar.

Reverse Engineering Process: Xamarin application

Step-1: Let’s confirm whether the application was built on Xamarin framework.

To check this, rename the APK with zip extension and then extract the APK to a new folder using the following command

cp com.example.apk example-apk.zip
unzip -qq example-apk.zip -d unzipped-apk

Browse to the newly created unzipped-apk folder, and find the assemblies folder. Inside this folder, it contains several dll binaries. So it means that the application was build on the Xamarin framework.

Step-2: Now we have to find appropriate dll file which contains the core logic of the application. It is easy to find the correct dll file. Typically the dll file named with package name or application name.

Step-3: de-compile the dll file using the** dnSpy tool**.

*Step-4: *search for sensitive credentials and endpoints

In this phase, you have to identify the sensitive keywords to analyze the de-compiled code. A pattern that is popular with android applications, is the use of a third party services like such as Firebase,Azure, AWS s3 service endpoints, private keys etc.,

After a long deep analysis of code review I was able to find** sensitive hard-coded credentials** in the commented section of code.

Now its time to exploit the disclosed keys

Whenever I found any API key I primarily go and refer the Keyhacks GitHub repository. But there no valid approach related to the disclosed keys.

Future analysis of the Azure blob storage API documentation and some tutorials about the Azure CLI. I got to know the use these credentials via azure CLI. Please find the process below to exploit the disclosed keys

cybersecurity azure infosec xamarin

What is Geek Coin

What is GeekCash, Geek Token

Best Visual Studio Code Themes of 2021

Bootstrap 5 Tutorial - Bootstrap 5 Crash Course for Beginners

Nest.JS Tutorial for Beginners

Hello Vue 3: A First Look at Vue 3 and the Composition API

Xamarin Forms Training Institute | Xamarin Forms Development Classes | Xamarin Training

Xamarin Training course is primarily designed for Beginner(s)/Professional(s) who want to learn how to develop native cross-platform apps with C# that run-on Android, iOS and Windows.

CI/CD Tutorial for Xamarin Android with Google Play Publishing in Azure DevOps | Part 2.

If you haven't seen part 1, click here and start building your CI/CD pipeline now.

How to set up Azure Data Sync between Azure SQL databases and on-premises SQL Server

In this article, you learn how to set up Azure Data Sync services. In addition, you will also learn how to create and set up a data sync group between Azure SQL database and on-premises SQL Server.

Watch the Xamarin Podcast: Inverter Converter and Xamarin.Forms 4.7 |

James and Matt will talk about multi-bindings and how using it in the right way will unleast the mysterious beast Inverter Converter.

Analyze Azure Cosmos DB data using Azure Synapse Analytics

This article will help you understand how to analyze Azure Cosmos DB data using Azure Synapse Analytics.