Are there any possible security attacks for App_secret?

Tags:
Debugging
Security
A particular app reveals app_secret but has server side verification, still there is little risk in revealing app_secret. Can anyone let me know the possible attacks that can be done using app_secret and proof of concept?


Software/Hardware used:
Android application
0

Answer Wiki

Thanks. We'll let you know when a new response is added.
Send me notifications when members answer or reply to this question.

Discuss This Question: 6  Replies

 
There was an error processing your information. Please try again later.
Thanks. We'll let you know when a new response is added.
Send me notifications when members answer or reply to this question.
  • carlosdl
    What do you mean by "revealing app_secret"?
    85,390 pointsBadges:
    report
  • someshandro
    App_secret was hardcoded in the android application. When I decompiled the app and grep for secret i found app_secret. Revealing App_secret means there was no major step taken to hide app_secret, anyone can decompile the app and have access to app_secret.
    Would you plz tell valid attack scenario and POC.
    25 pointsBadges:
    report
  • ToddN2000
    What was the purpose of decompiling the app? 
    Found this on another site..

    The Appsecret is used to encrypt and decrypt your requests as defined on oauth handshake mechanisms.

    It's not supposed to have "realtime mechanisms via api" to get it: do you realize the security issues that it could generate?

    Try to look for the secret_key by other perspective, that's the kind of information that no one wants to have on the wire...

    135,305 pointsBadges:
    report
  • carlosdl
    Ah, it starts to make sense now.

    You need to keep in mind that we have no idea of what you are doing or thinking when you post a question.

    Okay, you are talking about a credential, that is called "app_secret".

    Those types of credentials are usually used with authorization/authentication purposes by API providers.

    The app secret, along with some other credentials, is used to identify the application that is using the API to access data or functions of a determined service, such as Twitter, Facebook, etc.

    Those services typically use some version of Oauth for users to authorize access to third party applications, so, when you see that a Facebook, Twitter, Instagram or some other service is asking you to authorize access to some application, an Oauth process is going on in the background.

    Once a user has authorized access to an application, this application has certain permissions to do some things with the user data, or do actions on behalf of the user, such as posting updates, sharing things, etc.

    If someone manages to "impersonate" the application, by using the legitimate application's credentials to access the service, this malicious application will have all the permissions that users granted to the real application, and will be able to do things with the user data, and perform actions on their behalf.

    So, for example, if someone manages to impersonate a legit facebook application, the malicious app could start sending unwanted friend requests, liking unwanted pages, posting unwanted things, such as advertising, etc.
    85,390 pointsBadges:
    report
  • someshandro
    Thank you for your answer,
    Your answer was very much satisfying but as i mentioned earlier that app has signature verification of the caller from the server side in order to protect unintended access, would you plz tell me how to tackle this and have access to user data. 
    25 pointsBadges:
    report
  • carlosdl
    "...would you plz tell me how to tackle this and have access to user data."

    Sorry, I can't.  It really depends on the specific service and the security measures they have implemented.
    85,390 pointsBadges:
    report

Forgot Password

No problem! Submit your e-mail address below. We'll send you an e-mail containing your password.

Your password has been sent to:

To follow this tag...

There was an error processing your information. Please try again later.

Thanks! We'll email you when relevant content is added and updated.

Following

Share this item with your network: