Over the past few weeks, I’ve been juggling multiple tasks, but I decided to carve out some time to sharpen my skills in Mobile Application Penetration Testing (MAPT).
I chose to dive into the Vulnerable Bank App — a purposely insecure Android banking app built for MAPT training — and I must say, it's been both challenging and rewarding.
Since I couldn't immediately perform the attack vector I had in mind, I decided to start from the AndroidManifest.xml, a habit I always recommend to fellow testers. It's often overlooked, but it holds a lot of valuable intel if you know where to look.
And guess what?
Inside the manifest, I discovered some hardcoded strings, and to my surprise — the admin username and password were embedded right there in plain text!
With those credentials, I was able to log in directly without creating any user account — exposing a critical vulnerability that could lead to full unauthorized access in a real-world scenario
Key Takeaway:
Always audit your mobile app’s manifest file. Misconfigurations and hardcoded secrets are red flags that attackers love to exploit. Developers, never store sensitive credentials in plaintext — even in a test app.


























