You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
It was observed that app secret was harcoded in the android app which can be obtained by decompiling the android apk. Once apk is decompiled, navigate to assets directory and open the appcenter-config.json file to access the app secret.
Repro Steps
Run the following:apktool d 'target.apk'
Open the extracted folder and navigate to assets directory.
Open the appcenter-config.json file to access the app secret
Details
The App secret is like an api key for your app which can allow any attacker to invoke App Center REST APIs (like trigger builds or send push notifications). Is there any other form of authentication? Or if a attacker gotten access to the app secret would they have full access to all apis and carry out attacks?
The text was updated successfully, but these errors were encountered:
Hi, no the App Secret cannot be used to call any AppCenter REST API (you need to generate a different API token for that). Though the name is confusing it can only be used to send telemetry to the ingestion endpoint (in.appcenter.ms) or to check for in-app updates.
This app identifier does not have permissions for push or build scope or anything else than ingestion/read in-app updates.
It is very common for analytics SDKs to have such a key that is scoped only to send telemetry as it is not possible to actually protect that.
Description
It was observed that app secret was harcoded in the android app which can be obtained by decompiling the android apk. Once apk is decompiled, navigate to assets directory and open the appcenter-config.json file to access the app secret.
Repro Steps
Run the following:apktool d 'target.apk'
Open the extracted folder and navigate to assets directory.
Open the appcenter-config.json file to access the app secret
Details
The App secret is like an api key for your app which can allow any attacker to invoke App Center REST APIs (like trigger builds or send push notifications). Is there any other form of authentication? Or if a attacker gotten access to the app secret would they have full access to all apis and carry out attacks?
The text was updated successfully, but these errors were encountered: