React Native APK Exposed API Token

less than 1 minute read

import APK to JADX then open MainActivity

alt text

since the app uses React Native (by checking the comment and import) we need to reverse the app differently.

because react-native is a JavaScript framework I tried to unzip the OTPVault.apk

alt text

Go to assets then open index.android.bundle using notepad / VS Code

copy all the code then beautify it at Online JavaScript beautifier or using built-in VS Code to make it more readable

while searching “OTP” I found juicy code on line 31982 and line 31989 alt text

since I got the endpoint to get OTP and the token, I use Postman to call it with this configuration

    Method: GET
    URL: http://congon4tor.com:7777/flag
    Auth: Bearer Token KMGQ0YTYgIMTk5Mjc2NzZY4OMjJlNzAC0WU2DgiYzE41ZDwN

alt text

then….. the result status is 200 and the flag shown

flag{5450384e093a0444e6d3d39795dd7ddd}

Twitter Facebook LinkedIn

Malware Analysis with Event Viewer - PicoCTF 2025

3 minute read

PicoCTF 2025 - One of the employees at your company has their computer infected by malware! Turns out every time they try to switch on the computer, it shuts...

Malware Analysis — FakeGPT Lab

6 minute read

Cyberdefenders Blue Team CTF - Your cybersecurity team has been alerted to suspicious activity on your organization’s network. Several employees reported unu...

Manual APK Repackaging for exposing Secret on droids3 Android App

7 minute read

PicoCTF 2019 (Writeup) — droids3 (Android Reverse Engineering)

Smali Patching for calling Secret Function on droids4 Android App

4 minute read

PicoCTF 2019 (Writeup) — droids4 (Android Reverse Engineering)

Muhammad Alief

React Native APK Exposed API Token

You May Also Enjoy

Malware Analysis with Event Viewer - PicoCTF 2025

Malware Analysis — FakeGPT Lab

Manual APK Repackaging for exposing Secret on droids3 Android App

Smali Patching for calling Secret Function on droids4 Android App