Vulnerability Report for Studocu Mobile Application Vulnerability Overview Title: Sensitive Information Leakage in strings.xml Severity: High Affected File: res/values/strings.xml Description The strings.xml file in the Studocu mobile application contains hardcoded sensitive information, including API tokens and a project ID for Lokalise. These credentials are publicly exposed within the APK file, which can be easily decompiled, allowing unauthorized access to internal services and potentially leading to security breaches. Leaked Information xml Copy code <string name="LOKALISE_API_TOKEN">c515393287f3893be8df1670514694f794a80a86</string> <string name="LOKALISE_OTA_API_TOKEN">fa67fbd57b0295680194a576e929a1b08367</string> <string name="LOKALISE_PROJECT_ID">5862821065450dbcf0be12.22268464</string> Steps to Reproduce Decompile the APK: Download the Studocu APK file from the Google Play Store. Use a tool like apktool to decompile the APK: sh Copy code apktool d Studocu.apk -o Studocu_decompiled Locate the strings.xml File: Navigate to the res/values directory: sh Copy code cd Studocu_decompiled/res/values Inspect the strings.xml File: Open the strings.xml file and search for sensitive information: sh Copy code cat strings.xml | grep -E "LOKALISE_API_TOKEN|LOKALISE_OTA_API_TOKEN|LOKALISE_PROJECT_ID" The sensitive information will be displayed, as shown above. Proof of Concept (PoC) The following proof of concept demonstrates how to extract the sensitive information from the decompiled strings.xml file. PoC Code sh Copy code # Decompile the APK apktool d Studocu.apk -o Studocu_decompiled # Navigate to the directory containing strings.xml cd Studocu_decompiled/res/values # Extract the sensitive information cat strings.xml | grep -E "LOKALISE_API_TOKEN|LOKALISE_OTA_API_TOKEN|LOKALISE_PROJECT_ID" PoC Output xml Copy code <string name="LOKALISE_API_TOKEN">c515393287f3893be8df1670514694f794a80a86</string> <string name="LOKALISE_OTA_API_TOKEN">fa67fbd57b0295680194a576e929a1b08367</string> <string name="LOKALISE_PROJECT_ID">5862821065450dbcf0be12.22268464</string> Practical Impact The exposure of these sensitive credentials can have several practical impacts: Unauthorized Access: Attackers can use the leaked API tokens to gain unauthorized access to the Lokalise project and its related resources. This can lead to unauthorized modifications, data theft, and potential disruption of services. Service Abuse: Attackers may exploit the exposed API tokens to perform malicious activities, such as sending unauthorized requests to the Lokalise API, potentially resulting in rate limiting or service disruption. Intellectual Property Theft: Leaked project IDs and API tokens can provide attackers with access to proprietary content and localization data, leading to intellectual property theft and competitive disadvantages. Increased Attack Surface: With access to the Lokalise project, attackers can gain insights into the structure and content of the application's localization data, potentially identifying further vulnerabilities and exploitation opportunities. Recommendations Remove Hardcoded Credentials: Remove the hardcoded API tokens and project ID from the strings.xml file. Use secure methods to store and retrieve sensitive information, such as environment variables or encrypted storage. Implement Secure API Authentication: Use a secure method for API authentication, such as OAuth, to minimize the risk of credential leakage. Monitor and Rotate API Keys: Regularly monitor the usage of API keys and rotate them periodically to reduce the risk of unauthorized access. Review and Audit Code: Conduct regular code reviews and security audits to identify and mitigate any potential security vulnerabilities. Conclusion The leakage of sensitive information in the strings.xml file of the Studocu mobile application poses a significant security risk. Immediate action should be taken to remove hardcoded credentials and implement secure practices to protect sensitive information and prevent unauthorized access. For further assistance or queries regarding this report, please contact the security team. Reported by: [Your Name] Date: [Report Date]