10Mar
urbanairship basic Authorization found in Mobile Application Outgoing Traffic
I was testing an android application using Burp suite. When I opened the android application, an app "Outgoing Traffic" log was added in Burp suite Site map. The API request is:
PUT /api/channels/<channel-id> HTTP/1.1
Content-Type: application/json
Accept: application/vnd.urbanairship+json; version=3;
User-Agent: com.test.app (Custom; 5.1; UrbanAirshipLib-android/9.5.2; W_Ps1DDsQAypC5_UuKOeyg; en_US)
Authorization: Basic <auth-key>
Host: device-api.urbanairship.com
Connection: close
Accept-Encoding: gzip, deflate
Content-Length: 227
{"channel":{"device_type":"android","opt_in":false,"locale_country":"US","locale_language":"en","background":false,"tags":[],"set_tags":true,"timezone":"America\/New_York"},"identity_hints":{"user_id":"<user-id>"}}
The request has Authorization: Basic <auth-key> header while I opened the app ( Without any login). Is it fine to have a public Authorization key, because it's returning this response below:
HTTP/1.1 200 OK
Date: Wed, 10 Mar 2021 13:21:16 GMT
Location: https://device-api.urbanairship.com/api/channels/<changel-id>
Content-Type: application/vnd.urbanairship+json;version=3
Content-Length: 63
Via: 1.1 google
Alt-Svc: clear
Connection: close
{"ok":true,"channel_id":"<changel-id>"}
I found another GET endpoint of this when I tried to visit via Browser. It showed basic auth for login but when I used the Authorization token, it returned pieces of information to me. So, I am a bit confused about this request. Can anyone elaborate on this?
