Member-only story

Hack crypto secrets from heap memory to exploit Android application

secureITmania
InfoSec Write-ups
Published in
4 min readDec 22, 2020

Typically, There was no significant impact (in general the severity is low) for a Broken Cryptography flaw in the android application. Unless, if there is a strong dependency between the application workflow and cryptography functions.

In the recent private bugbounty program, I faced a challenge. In which the application request body was encrypted with some kind of cryptography mechanism. So I should have to find the encryption mechanism to further assess the application.

encrypted body challenge

To understand the encryption logic, I have de-compiled the APK using Android reverse Engineering tools set and then I have analyzed the code for the encryption mechanism and sensitive key information. But I haven’t found any hard-coded secret in the reversed source code.

It’s time to Inspect the application heap memory

Heap Memory

The Heap is used for dynamic memory allocation. To provide a smooth user experience, Android sets a hard limit on the heap size for each running application. The heap size limit varies among devices and is based on how much RAM a device has. Heap memory is used to allocate objects. Whenever you create an object, it’s always created in the heap.

Why we need to analyze

Create an account to read the full story.

The author made this story available to Medium members only.
If you’re new to Medium, create a new account to read this story on us.

Or, continue in mobile web

Already have an account? Sign in

Published in InfoSec Write-ups

A collection of write-ups from the best hackers in the world on topics ranging from bug bounties and CTFs to vulnhub machines, hardware challenges and real life encounters. Subscribe to our weekly newsletter for the coolest infosec updates: https://weekly.infosecwriteups.com/

No responses yet

What are your thoughts?