How do you look for Android Broken Authentication and Session Management for $$ or $$$??

3 min readOct 28, 2022

Check out this Broken authentication and Session Management on Android Application, most of the time this bug will not consider during web app hunting, but this is a valid bug on android.

Hello Folks, In this article I will explain about Android Broken Authentication and Session Management.

What is Broken Authentication and Session Management ??

All application requires users to log in to access their accounts, make a process, transaction, etc. More often than not, this is done using a username and password. With this info, a site will assign and send each logged-in visitor a unique session ID that serves as a key to the user’s identity on the server.

If not properly secured, a cybercriminal can impersonate a valid user and access that user’s account, resulting in a broken authentication and session management attack.

Let's get Started !! 😉

In my previous writeup, I explained about android HTML Injection, while working on the same application, I found this bug.

I logged in to the application and went to the profile page. Here I suggest you check this bug on either the profile page or if an application has Personal identity Information or sensitive information stored.

I fired up my burp suite and went to the profile section, here it contains the details about the Name Email and password change options.