in this activity we're going to perform a static code review and we're going to do it on this little source code for an Android app it's called main activity. KT well actually all Android apps their main source code is called main activity this is written in cotlin you don't need to be a coder you don't need to be an app developer we're just going to look for obvious things like usernames passwords IP addresses um API Keys things that are hardcoded into the app that really shouldn't be there that might expose sensitive information you'll need notepad++ to do this so just find notepad++ wherever you've installed it to go get it if you don't have it but you should have set it up in your setup guide open notepad++ and it probably initially opens up to some announcements like bug fixes and stuff we don't care about that just close the change log and come over here and go file and then open and browse for wherever you have that main activity I happen to have it on my desktop you go find it main activity. KT the KT stands for cotlin click open this is the source codee for an Android weather app and there are some notes here from the developer what we're looking for is anything that would reveal sensitive information passwords API Keys IP addresses usernames just scroll through here and I'll help you in just a moment scroll through this code you don't need to understand the code just look for things that might be sensitive if an attacker were to get a hold of this app and and they could just download it from Google Play right if they were to get it and they were to run it through some kind of decompiler or if they were just searching for strings in the app because there are plenty of free tools to do that would we be exposing sensitive information I just want you to scroll through and look just look look look look for anything that might be a problem just look look look look scroll through scroll through and then I'm going to help you find it okay so we've looked did you see anything I saw something let me go up and let me show you the reason why I like notepad++ is that it'll show you the lines do you see line 60 right here where it says a API key equals an API key is used by an applic especially mobile apps to authenticate themselves to a server this implies that you have your own or the app has its own login to a server in order to get the weather for this weather app we shouldn't be giving away this API key because someone else could use it and log in as us so this right here is a mistake this is a vulnerability the developer should have saved this in an encrypted format and then when the app runs decrypt it right then during runtime to use it but instead they hardcoded it in that's a bozo noo congratulations you have just successfully performed static code analysis on a real Android app and with that let's move on to the next topic