In June 2020, I found an Basetrip API Key exposing publicly in an android source code. That application has a bug bounty program in Bugcrowd , I reported the issue and my report Triaged.
Category: Sensitive Data Exposure > Critically Sensitive Data > Private API Keys
Status: Triaged
Bounty: Points
You can use apktool to decompile an apk and find these hard coded secret keys.
Let’s directly jump into the POC and cURL request:
POC:
curl --request GET --url 'https://api.thebasetrip.com/v3/countries/france?from=spain' --header 'Accept: application/json' --header 'x-api-key: <API_KEY>
You will get a valid response if the key is active/valid.