A Polish security researcher has managed to get free beer by hacking a “bonus card app” for Android. For whatever app exactly going to want researcher Kuba Gretzky did not say, as these however only used in Poland.
Through his research to bring out he wants to give more insight into what may have similar apps kind of vulnerabilities . The app in question gives users bonus points at checkout for food or drinks in restaurants, bars or cafes. These bonus points can then be exchanged for beer or food. If users have installed can confirm the restaurant, bar or cafe purchase the Android app by operating a special bluetooth device on your smartphone or if that fails to enter a code in the app. Once the purchase has been confirmed through the app gets the user’s bonus points.
“Everyone likes free beer, so the first thing I curious about was the safety of the verification process was and how these Bluetooth devices “said Gretzky. The app and communicate the device via bluetooth with each other. The researcher was soon overtaken that equipment and technology developed by the company Estimote. The app detects that the device of a certain restaurant in the neighborhood, has an identification value of the unit and used to register new bonus through the app server.
Estimote has a software development kit (SDK) with comprehensive information made available. This allows Gretzky could figure out how the protocol and verification process. By then analyze the traffic exchanged with the verification process he discovered the code that confirms the bonus. This code can be modified and are always sent back, so that the app server also approves bonus points for purchases not made.
Gretzky mentions nowhere that he has reported or who have remedied the problems. But he concludes his analysis on several recommendations to prevent such problems, as it does not trust the smartphone users with authorization keys and using certificaatpinning so encrypted traffic can not easily be intercepted using forged certificates. It would also measures can be taken to make more difficult the analysis of the app. Furthermore, the use of encryption is recommended in the devices that communicate with the smartphone of the customer.
No comments:
Post a Comment