In my previous write-up I explain the React Native reverse engineering technique. Again I have found a bug in Xamarin based application that was found by a different approach instead of old reverse engineering methodology.
In _**_m[y previous write-up](https://secureitmania.medium.com/lets-know-how-i-have-explored-the-buried-secrets-in-react-native-application-6236728198f7)_I explain the _React Native_ reverse engineering technique. Again I have found a bug in _Xamarin**_ based application that was found by a different approach instead of old reverse engineering methodology._
Xamarin is a free and open source mobile app platform for building native and high-performance iOS, Android, tvOS, watchOS, macOS, and Windows.
Typically, when reversing an Android application, it is de-compiled using apktool, dex2jar and then analyzed using JD-GUI. When dealing with Native applications, this can be useful if the application has any native code that you would like to analyze.
But most of the time, the core logic of the application lies in the “.dll” that can be obtained without needing to use dex2jar.
Step-1: Let’s confirm whether the application was built on Xamarin framework.
To check this, rename the APK with zip extension and then extract the APK to a new folder using the following command
cp com.example.apk example-apk.zip unzip -qq example-apk.zip -d unzipped-apk
Browse to the newly created
unzipped-apk folder, and find the
assemblies folder. Inside this folder, it contains several
dll binaries. So it means that the application was build on the Xamarin framework.
Step-2: Now we have to find appropriate
dll file which contains the core logic of the application. It is easy to find the correct dll file. Typically the
dll file named with package name or application name.
Step-3: de-compile the
dll file using the** dnSpy tool**.
*Step-4: *search for sensitive credentials and endpoints
In this phase, you have to identify the sensitive keywords to analyze the de-compiled code. A pattern that is popular with android applications, is the use of a third party services like such as Firebase,Azure, AWS s3 service endpoints, private keys etc.,
After a long deep analysis of code review I was able to find** sensitive hard-coded credentials** in the commented section of code.
Whenever I found any API key I primarily go and refer the Keyhacks GitHub repository. But there no valid approach related to the disclosed keys.
Xamarin Training course is primarily designed for Beginner(s)/Professional(s) who want to learn how to develop native cross-platform apps with C# that run-on Android, iOS and Windows.
If you haven't seen part 1, click here and start building your CI/CD pipeline now.
In this article, you learn how to set up Azure Data Sync services. In addition, you will also learn how to create and set up a data sync group between Azure SQL database and on-premises SQL Server.
James and Matt will talk about multi-bindings and how using it in the right way will unleast the mysterious beast Inverter Converter.
This article will help you understand how to analyze Azure Cosmos DB data using Azure Synapse Analytics.