During a recent Android security assessment, I experienced one of those moments every pentester secretly hopes for — the moment when the app accidentally reveals more than it should. What started as routine testing quickly turned into a fascinating discovery involving ADB logcat, exposed API endpoints, and authentication tokens. The most surprising part?

I was able to capture and use API requests without performing any SSL pinning bypass at all.

Yes, you read that right. No Frida. No patching. No fancy SSL bypass techniques. Just good old log analysis and curiosity.

Let's walk through the journey.

Step1: Analyzing the ADB Logcat for sensitive data.

#adb logcat

While interacting with the app, I noticed that the application was printing API request details in logcat. The logs revealed an authentication API endpoint that contained:

  • Username
  • Password
  • Client ID

This immediately indicated that sensitive information was being logged.

Step2 : Recreating the API Request

Using the information found in logcat, I recreated the request in Postman/Burp Suite.

Example request:

POST /api/auth/token

Payload:

username=<user>
password=<password>
client_id=<client>

After sending the request, the server responded with a JWT authentication token.

Success!

The token allowed authenticated access to the API.

Step3 : Endpoint Enumeration

Next, I enumerated API endpoints using dirsearch.

dirsearch -u https://target-api.com

During enumeration I discovered a publicly accessible file:

/swagger.json

This file listed all available API endpoints, making further testing much easier.

Step4 : Testing the APIs

Using the JWT token and the discovered endpoints, I crafted requests in Burp Suite/Postman to test the API.

Final Thoughts

This finding highlights an important lesson in mobile security:

Sometimes the most effective vulnerabilities don't require complex exploitation techniques.

asde
Who needs SSL bypass when logcat tells the whole story

In this case, simple log analysis exposed the entire authentication workflow.

No SSL pinning bypass.

No reverse engineering.

Just ADB logcat and curiosity.

And sometimes…

That's all a pentester needs.