App secret exposed

[ralesiupgrade]

Description

It was observed that app secret was harcoded in the android app which can be obtained by decompiling the android apk. Once apk is decompiled, navigate to assets directory and open the appcenter-config.json file to access the app secret.

Repro Steps

Run the following:apktool d 'target.apk'

Open the extracted folder and navigate to assets directory.

Open the appcenter-config.json file to access the app secret

Details

The App secret is like an api key for your app which can allow any attacker to invoke App Center REST APIs (like trigger builds or send push notifications). Is there any other form of authentication? Or if a attacker gotten access to the app secret would they have full access to all apis and carry out attacks?

[guperrot]

Hi, no the App Secret cannot be used to call any AppCenter REST API (you need to generate a different API token for that). Though the name is confusing it can only be used to send telemetry to the ingestion endpoint (in.appcenter.ms) or to check for in-app updates.

This app identifier does not have permissions for push or build scope or anything else than ingestion/read in-app updates.

It is very common for analytics SDKs to have such a key that is scoped only to send telemetry as it is not possible to actually protect that.

[ralesiupgrade]

@guperrot Thanks. closing