The researcher Kuba Gretzky decided to consider the effect of an Android app to take a closer look, allowing users to earn points when they make purchases. In a blog post he describes his research, giving him finally free beer.
Gretzky mentions the name of the app on purpose, but does provide value that it is used only in Poland. The app allows users points after a purchase money by letting the seller know that they want to receive them. For example, it is possible purchase of five beers get one free. His first step in research led him to beacons of Estimote, which are used by the application to authorize the receiving points.
Gretzky That led to the conclusion that wireless data is being transferred. He had previously established that the beacons process a number of values to assign points to the app. Now it was important to intercept the data, the researcher used this software called Fiddler, which can intercept HTTP and HTTPS traffic. After some fiddling with certificates Gretzky was able to intercept Internet traffic of its own phone. The movement of the app could be compensated that way, because it does not use the certificate pinning.
In this way, the researcher saw, for example, that the authentication and the corresponding pin were transferred in clear text. The pin with brute force crack was not an option, because a limit was imposed on the number of requests. That’s why he decided to intercept the pin remotely using an ‘evil vpn. This was set up quickly enough using an autoconfiguration script and was also after some hassle to get working on Android 6.0. Then could Gretzky https packets capturing and decrypting using the tool SSLsplit.
Equipped with his phone and the ‘evil vpn’ Gretzky went back to the city and was able to get in a store two PINs to intercept by switching off its location services. The verification by proximity to a beacon in this case, namely, was not possible. He could intercept an authorization package by putting his location services again. So the researcher could eventually come to the conclusion that the authentication keys for adding points were constantly broadcast in shops and restaurants. The right package to intercept Fiddler and customize it was then possible to free points, and thus beer earn.
In his blog post Gretzky still gives some tips for improving the security of the app, such as certificate pinning and code obfuscation
The estimote beacons
No comments:
Post a Comment