# LAB - Sensitive Information Leakage

In this lab environment, you will have GUI access to a Debian machine. An application named **HeyDoc** is available on the Android Emulator.

**Objective:** Identify sensitive information leaked by the HeyDoc app by intercepting and analyzing network requests using Burp Suite.

**Note:** Allow the app to make and manage phone calls by granting the required permission when prompted.

The valid credentials for **HeyDoc** app are as follows:

* **Username:** alice
* **Password:** Bazinga\@12345#

> **Note:** You can start the emulator using the script located on the Desktop. Additionally, check the **Tools** directory located on the Desktop for available tools.

***

Frist, ejecute the APK and see that que APP make and manage the Phone Calls, after accept, we have in front of us a login panel, and insert the credentials to log in-->

<figure><img src="/files/7O4zL3MZYJk94RJZqmhr" alt=""><figcaption></figcaption></figure>

<figure><img src="/files/rA9FSz3jZwt4wHRcwSps" alt=""><figcaption></figcaption></figure>

With it, configure the Burp Porixy and navagete into the APK to intercep all peticions -->

<figure><img src="/files/HLWWCRSvJQpdKIEIgmIh" alt=""><figcaption></figcaption></figure>

Now, or configure the Wifi proxy same as burp of do it about command line -->

```
adb shell settings put global http_proxy <host-ip>:8080
```

<figure><img src="/files/nEjnUbuOLbYJMKpKZ2dS" alt=""><figcaption></figcaption></figure>

With it made, navegate on the APK -->

<figure><img src="/files/tgw6PBzD8QIZMpPmOsx8" alt=""><figcaption></figcaption></figure>

<figure><img src="/files/spo3S7GgXxbp591ZgbxF" alt=""><figcaption></figcaption></figure>

1. `Authorization: Bearer token_101_20250602080848`: This header typically includes an access token prefixed with "Bearer", which is used to authenticate the request.
2. `_ygs: SU1FST0zNTgyNDAwNTExMTExMTA7VXNlcm5hbWU9YWxpY2U=`: This appears to be a base64 encoded data

So, decode Base64 the \_ygs paraphers -->

```
echo "SU1FST0zNTgyNDAwNTExMTExMTA7VXNlcm5hbWU9YWxpY2U=" | base64 --decode
```

<figure><img src="/files/L7hBAXFzeVsEywOdnqqG" alt=""><figcaption></figcaption></figure>

We have found that an **IMEI number** and the **logged-in username** are being sent with the request in an inconspicuous parameter within the request header.


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://eldeim.gitbook.io/brain_fuck/notes/certifications/eastereggs/ine-emapt/android-dynamic-testing/lab-sensitive-information-leakage.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.