Description
An Android APK hides the flag in its string resources under a suspicious key. Decompile the app and decode the base32-encoded value.
Setup
Download the APK file.
Install apktool: `sudo apt install apktool`
Solution
- Step 1Decompile the APKUse apktool to decode the APK into readable smali bytecode and XML resource files. APK files are ZIP archives containing compiled DEX bytecode.
apktool d minion.apk -o minion_decodedLearn more
An APK (Android Package) file is a ZIP archive that contains everything needed to install an Android app: compiled bytecode in
classes.dex(Dalvik Executable format), compiled binary XML resources inres/, the app manifest (AndroidManifest.xml), and native libraries inlib/. Because it is a standard ZIP, you can rename it to.zipand browse the contents directly.apktool decodes the APK's binary XML back into human-readable XML and disassembles the DEX bytecode into smali - a human-readable assembly-like language for the Dalvik/ART virtual machine. Smali is harder to read than Java source, but it reveals every method, field, and string constant in the app. The
-oflag specifies the output directory.Android apps compiled from Java or Kotlin can also be decompiled to near-source-level Java using jadx or JADX-GUI, which produce more readable output than smali for most analysis tasks. The choice between apktool (smali) and jadx (Java) depends on the task: apktool is better for re-packaging and patching; jadx is better for reading and understanding logic.
- Step 2Search string resources for the keyString resources live in res/values/strings.xml. Search for the key 'Banana' - it contains a base32-encoded value.
grep -i 'banana' minion_decoded/res/values/strings.xmlLearn more
Android string resources are defined in
res/values/strings.xmlas key-value pairs:<string name="key">value</string>. These are intended for UI text and localization, but developers sometimes store hardcoded credentials, API keys, or other sensitive values here under innocuous-sounding names. After apktool decoding, these files are plain text XML, readable with any text editor or grep.Secrets in string resources are a top finding in mobile app security audits. Unlike Java class constants which require decompilation, string resources are trivially accessible to anyone who extracts the APK - no reverse engineering skill is needed. This is documented by OWASP as M1: Improper Credential Usage in the OWASP Mobile Application Security Verification Standard (MASVS).
A comprehensive mobile app review searches not just
strings.xmlbut also other resource files, raw asset files (assets/), and native libraries for hardcoded secrets. Tools like MobSF (Mobile Security Framework) automate this scan and produce a full security report from an APK file. - Step 3Decode the base32 valueCopy the base32 string from the XML and decode it. The result is the flag.
echo '<BASE32_VALUE>' | base32 -dpython3 -c "import base64; print(base64.b32decode('<BASE32_VALUE>').decode())"Learn more
Base32 is an encoding scheme that represents binary data using only 32 printable characters: A-Z and 2-7 (RFC 4648). Like base64, it is not encryption - it is purely a representation that avoids characters that might be problematic in certain contexts (no lowercase, no special characters except
=padding). Base32 produces longer output than base64 (every 5 bytes become 8 characters vs. base64's 4 per 3 bytes) but is safer for case-insensitive systems.The
base32 -dcommand decodes a base32-encoded string from stdin. Python'sbase64.b32decode()function does the same from within a script. Base32 is used in TOTP authentication codes (Google Authenticator), DNS labels, and some URL schemes. Recognizing it by its uppercase-letter-plus-digits character set and=padding is a useful forensics skill.When encountering an encoded string in a CTF, a quick heuristic: base64 uses A-Z, a-z, 0-9, +, /; base32 uses A-Z, 2-7; base16 (hex) uses 0-9, A-F. If the string contains only uppercase letters and digits 2-7, base32 is the first thing to try. The
filecommand on the decoded output tells you what the data actually is.
Alternate Solution
Once you locate the base32 value in strings.xml, use the Base64 & Base32 Decoder on this site - paste the encoded string and select Base32 to decode it instantly in your browser without any command-line tools.
Flag
picoCTF{...}
APK string resources are plaintext XML after decompilation - hiding secrets there provides no protection.