Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Secrets found in .so file (shared object file) #10

Closed
xcypher78 opened this issue Jul 31, 2024 · 3 comments
Closed

Secrets found in .so file (shared object file) #10

xcypher78 opened this issue Jul 31, 2024 · 3 comments

Comments

@xcypher78
Copy link

apkscan found RSA PRIVATE KEY in .so file how i can decompile .so file to check
@LucasFaudman
Copy link
Owner

Hey @xcypher78,

Thanks for the feedback.

In Android applications, a .so file (shared object file) typically contains compiled native code, often written in languages like C or C++. The purpose is to provide functionality that isn't easily achievable with standard Android SDK tools or to optimize performance-sensitive parts of an application.

Unfortunately, none of the decompilers APKscan currently supports, can handle .so files since they are most likely compiled C bytecode, and the current decompilers only work with Dalvik/Java bytecode.

As you've shown, you still can however scan these files for secrets since APKscan performs pattern matching on the file's bytes meaning it does not require readable strings to locate secrets.

What that means is that the RSA PRIVATE KEY pattern is found in your .so but'll need to take some additional steps to find it:

The simplest, but least effective method would be to try to just use strings and grep:

grep -A30 'BEGIN RSA PRIVATE KEY' <( strings /path/to/your/.so )

Note: the -A30 arg means show 30 lines after each match to try to find the whole key.

If this does not work, I'd suggest using a binary analysis tool such as:

  • Radare2: An open-source software framework for reverse engineering and analyzing binaries. (My personal favorite tool for this purpose. )
  • Ghidra: A free and open-source software reverse engineering tool developed by the NSA.
  • IDA Pro: A commercial tool for disassembly, decompilation, and reverse engineering.

@LucasFaudman
Copy link
Owner

Also @xcypher78 just FYI if your .so is any of the following it is most likely a false positive:

  • libflutter.so
  • libhydra.so
  • libopenvpn.so
  • libovpncli.so

I'm going to close this issue for now since APKscan is working as expected, but thanks again for your feedback, I'm going to consider how to add support for this in future updates. Take care.

@xcypher78
Copy link
Author

The file is libapp.so and thanks for your information Lucas

@LucasFaudman LucasFaudman changed the title decompile Secrets found in .so file (shared object file) Aug 2, 2024
@LucasFaudman LucasFaudman pinned this issue Aug 2, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@LucasFaudman @xcypher78