We are given an Android app with a login screen. [http://www.javadecompilers.com/](http://www.javadecompilers.com/) is a good website for decompiling the apk (without going through the trouble of installing all the tools).

After decompiling you can see the code in `LoginActivity.java`:

```
public void onClick(View view) {
Toast.makeText(LoginActivity.this.getApplicationContext(), C0046o.m117a(LoginActivity.this.getApplicationContext(), (int) R.raw.prod, this.f1785b.getText().toString(), this.f1786c.getText().toString(), false), 1).show();
}
```

No way to get the username and password from here. Looking around you'll see another interesting file named `TestActivity.java`:

```
public void onClick(View view) {
String str;
try {
MessageDigest instance = MessageDigest.getInstance("SHA-256");
Signature signature = TestActivity.this.getApplicationContext().getPackageManager().getPackageInfo(TestActivity.this.getApplicationContext().getPackageName(), 64).signatures[0];
str = C0046o.m117a(TestActivity.this.getApplicationContext(), (int) R.raw.qa, "token", signature == null ? "" : Base64.getEncoder().encodeToString(instance.digest(signature.toByteArray())), true);
} catch (NameNotFoundException | NoSuchAlgorithmException e) {
e.printStackTrace();
str = null;
}
Toast.makeText(TestActivity.this.getApplicationContext(), str, 1).show();
}
```

Basically, this code uses `token` as username and the SHA256 of the first APK signature (encoded in Base64) as the password. This signature can be extracted from `CERT.RSA` using `keytool`:

```
$ keytool -printcert -file CERT.RSA
Owner: CN=RealGam3, OU=RealGam3, O=RealGam3, L=NA
Issuer: CN=RealGam3, OU=RealGam3, O=RealGam3, L=NA
Serial number: 19e19e40
Valid from: Sun Jun 21 16:27:18 ICT 2020 until: Thu Jun 15 16:27:18 ICT 2045
Certificate fingerprints:
SHA1: 02:32:1C:57:42:D4:68:DC:45:37:25:11:7D:79:1B:2B:A3:C0:C7:1A
SHA256: A7:DF:C1:5E:06:E9:E9:DD:6F:46:D1:C8:70:26:E2:E9:59:BA:7D:A3:40:2D:02:21:63:34:3A:8D:70:A9:52:F9
Signature algorithm name: SHA256withRSA
Subject Public Key Algorithm: 2048-bit RSA key
Version: 3
```

Encoded Base64: `p9/BXgbp6d1vRtHIcCbi6Vm6faNALQIhYzQ6jXCpUvk=`

Now we need to see how the username and passwords are sent to the server. This is done in `C0046o.m117a` method. Although the code is not fully decompiled, we can still have an idea of what is going on:

- The code sends a basic authentication request with username and password to [https://certifiedapp.ctf.bsidestlv.com:8003/authenticate](https://certifiedapp.ctf.bsidestlv.com:8003/authenticate)
- Client certificate is used to encrypt the SSL/TLS traffic. Certificate is stored in `res/raw/qa.p12`. Certificate password is `thecakeisalie` (obtained from key `clientCertPassword` in `res/values/strings.xml`)

Full solver code:

```
package bsidesltv;

import java.io.*;
import java.net.ProtocolException;
import java.nio.charset.StandardCharsets;
import java.security.MessageDigest;
import java.security.cert.X509Certificate;
import java.util.Base64;

import javax.net.ssl.*;

public class CertAppSolver {

public static void m125a(HttpsURLConnection httpsURLConnection, String str, String str2) {
StringBuilder sb = new StringBuilder();
sb.append(str);
sb.append(":");
sb.append(str2);
String sb2 = sb.toString();
System.out.println(sb2);
try {
httpsURLConnection.setRequestMethod("POST");
httpsURLConnection.setConnectTimeout(1500);
httpsURLConnection.setReadTimeout(1500);
byte[] encode = java.util.Base64.getEncoder().encode(sb2.getBytes(StandardCharsets.UTF_8));
StringBuilder sb3 = new StringBuilder();
sb3.append("Basic ");
sb3.append(new String(encode));
System.out.println(sb3);
httpsURLConnection.setRequestProperty("Authorization", sb3.toString());
} catch (ProtocolException e) {
e.printStackTrace();
}
}

public static String m118a(InputStream inputStream) throws Exception {
char[] cArr = new char[4096];
InputStreamReader inputStreamReader = new InputStreamReader(inputStream, "UTF8");
StringWriter stringWriter = new StringWriter();
while (true) {
int read = inputStreamReader.read(cArr);
if (-1 == read) {
return stringWriter.toString();
}
stringWriter.write(cArr, 0, read);
}
}

public static java.lang.String m117a(java.lang.String r7, java.lang.String r8) throws Exception {
TrustManager[] trustAllCerts = new TrustManager[] {
new X509TrustManager() {
public java.security.cert.X509Certificate[] getAcceptedIssuers() {
return null;
}
public void checkClientTrusted(X509Certificate[] certs, String authType) { }
public void checkServerTrusted(X509Certificate[] certs, String authType) { }
}
};
// Create all-trusting host name verifier
HostnameVerifier allHostsValid = new HostnameVerifier() {
public boolean verify(String hostname, SSLSession session) {
return true;
}
};
// Install the all-trusting host verifier
HttpsURLConnection.setDefaultHostnameVerifier(allHostsValid);

java.lang.String clientCertPassword = "thecakeisalie";
java.lang.String certPath = "bsidesltv\\qa.p12";
InputStream stream = new DataInputStream(new FileInputStream(certPath));
java.security.KeyStore r4 = java.security.KeyStore.getInstance("PKCS12");
r4.load(stream, clientCertPassword.toCharArray());
javax.net.ssl.KeyManagerFactory r5 = javax.net.ssl.KeyManagerFactory.getInstance("SunX509");
r5.init(r4, clientCertPassword.toCharArray());
javax.net.ssl.KeyManager[] r50 = r5.getKeyManagers();
javax.net.ssl.SSLContext r6 = javax.net.ssl.SSLContext.getInstance("TLS");
java.security.SecureRandom r9 = new java.security.SecureRandom();
r6.init(r50, trustAllCerts, r9);
java.lang.String r2 = "https://certifiedapp.ctf.bsidestlv.com:8003/authenticate";
java.net.URL r51 = new java.net.URL(r2);
java.net.URLConnection r52 = r51.openConnection();
javax.net.ssl.HttpsURLConnection r53 = (javax.net.ssl.HttpsURLConnection)r52;
javax.net.ssl.SSLSocketFactory r61 = r6.getSocketFactory();
r53.setSSLSocketFactory(r61);
m125a(r53, r7, r8);
int r62 = r53.getResponseCode();
System.out.println(r62);
java.io.InputStream r71 = r53.getInputStream();
java.lang.String r63 = m118a(r71);
r53.disconnect();
return r63;
}

public static void main(String[] args) throws Exception {
String s = m117a("token", "p9/BXgbp6d1vRtHIcCbi6Vm6faNALQIhYzQ6jXCpUvk=");
System.out.println(s);
}
}
```

Flag: `BSidesTLV2020{I_L1k3_B1g_Apps_And_I_cannot_l13}`