[Android application pentesting] does these things are vulerabilities?


Hello !
I’m new to android pentesting i’m reading about it and i’m very interested to try bug bounty for android app.
But I would like to know :

  • Does a password or cryptographic key in storage are a vulnerability if we have to access the smartphone to get it ? like doing a backup or with rooted smartphone ?
  • Does the leak of a cryptographic key is a vulnerability if I used frida to get it ? is it really possible for applications to keep theses keys secret even if frida is used ?

Thanks !