androidsecurity, mobileapppt,

Let’s know How I have explored the buried secrets in the Xamarin application.

Manikanta S Manikanta S Follow Feb 20, 2021 · 3 mins read
Let’s know How I have explored the buried secrets in the Xamarin application.
Share this

Mobile Application Penetration Testing Guide

In my previous write-up I explain the React Native reverse engineering technique. Again I have found a bug in Xamarin based application that was found by a different approach instead of old reverse engineering methodology.


Xamarin is a free and open source mobile app platform for building native and high-performance iOS, Android, tvOS, watchOS, macOS, and Windows.

Old-fashioned way of Android Reverse Engineering

Typically, when reversing an Android application, it is de-compiled using apktool, dex2jar and then analyzed using JD-GUI. When dealing with Native applications, this can be useful if the application has any native code that you would like to analyze.

But most of the time, the core logic of the application lies in the “.dll” that can be obtained without needing to use dex2jar.

Reverse Engineering Process: Xamarin application

Step-1: Let’s confirm whether the application was built on Xamarin framework.

To check this, rename the APK with zip extension and then extract the APK to a new folder using the following command

cp com.example.apk
unzip -qq -d unzipped-apk

Browse to the newly created unzipped-apk folder, and find the assemblies folder. Inside this folder, it contains several dll binaries. So it means that the application was build on the Xamarin framework.

Step-2: Now we have to find appropriate dll file which contains the core logic of the application. It is easy to find the correct dll file. Typically the dll file named with package name or application name.

Step-3: de-compile the dll file using the dnSpy tool.

_dnSpy is a debugger and .NET assembly editor. You can use it to edit and debug assemblies even if you don’t have any…

Step-4: search for sensitive credentials and endpoints

In this phase, you have to identify the sensitive keywords to analyze the de-compiled code. A pattern that is popular with android applications, is the use of a third party services like such as Firebase,Azure, AWS s3 service endpoints, private keys etc.,

After a long deep analysis of code review I was able to find sensitive hard-coded credentials in the commented section of code.

Now its time to exploit the disclosed keys

Whenever I found any API key I primarily go and refer the Keyhacks GitHub repository. But there no valid approach related to the disclosed keys.

Future analysis of the Azure blob storage API documentation and some tutorials about the Azure CLI. I got to know the use these credentials via azure CLI. Please find the process below to exploit the disclosed keys

Install azure CLI on your local machine and then set the below environment variable by replacing the values with the disclosed keys

C:\Users\admin>set AZURE_STORAGE_ACCOUNT=**** C:\\Users\\admin>set AZURE\_STORAGE\_ACCESS\_KEY=****

C:\Users\admin>set AZURE_STORAGE_CONNECTION_STRING=DefaultEndpointsProtocol=https;;AccountName=**;**AccountKey=****

C:\Users\admin>az storage blob list –container-name <container_name>


The Reverse Engineering process of the android applications should be conducted based on the build framework. You should identify the application build technology at the initial stage of the information gathering.

Thanks for spending your time to read this blog. If you want to learn the android hacking please do follow me and stay tune for interesting hacking techniques and view my profile to read interesting BugBounty write-ups.

Join Newsletter
Get the latest news right in your inbox. We never spam!
Manikanta S
Written by Manikanta S Follow
Hi, I am a computer security enthusiast, Indian security researcher, and BugHunter.