Field Note · Blog

Disclosure in Action: I Verified It Without Touching AWS

Static-only verification. Confirming the AWS keys were real without ever touching the AWS API — the disclosure ground rule that became the working method.

Disclosure in Action March 19-21, 2026 – CompleteTech LLC

Field Note 02 – Static Analysis

I verified it without touching AWS.

Once the APK showed what looked like an AWS credential pair, I slowed down and kept the validation local. I traced the evidence through decompiled code and stopped before any action that would touch the vendor's cloud environment.

The review stayed inside the APK and its decompiled source. I looked for where the values were defined, where they were passed, and what service client they were used to construct.

The relevant path was straightforward: build-time constants were used to create AWS credentials, and those credentials were passed into S3 upload code. I documented the affected package, observed builds, source locations, bucket name, region, and endpoint.

I did not authenticate with the credential. I did not enumerate the bucket. I did not retrieve objects, upload files, test writes, or call AWS APIs. The finding was validated through static evidence only.

EvidencePackage com.ruiye.jd, observed builds v1.0.78 and v1.0.87.1, and decompiled source references.
Observed useThe constants were passed into AWS S3 client code associated with upload behavior.
Hard stopNo live AWS authentication, bucket activity, object access, upload, or write testing.

Responsible validation is not the same thing as maximum validation. For this finding, static analysis was enough to show the risk and prepare a report.

CompleteTech LLC – Innovation at Every Integration Public disclosure series – 2026