Researcher hacks Android rewards app for free beer
The researcher Kuba Gretzky decided to take a closer look at how an Android app works, which allows users to earn points when they make purchases. In a blog post he describes his research, which ultimately resulted in free beer.
Gretzky does not mention the name of the app on purpose, but does reveal that it is only used in Poland. The app allows users to earn points after a purchase by letting the seller know that they want to receive them. For example, with a purchase of five beers it is possible to get one for free. His first step in research led him to Estimote beacons, which are used by the app to authorize receiving points.
That led Gretzky to the conclusion that data was being transferred wirelessly. He had also previously established that the beacons process a number of values to assign points to the app. Now it was important to intercept the data, for this the researcher used software called Fiddler, which can intercept HTTP and https traffic. After some fiddling with certificates, Gretzky was able to intercept Internet traffic from his own phone. The traffic of the app could also be collected in this way, because it does not use certificate pinning.
In this way, for example, the researcher saw that the verification and associated pin were transferred in plain text. Brute force cracking of the pin was not an option, as there was a limit to the number of requests. Therefore, he decided to intercept the pin remotely using an ‘evil vpn’. This was set up quickly enough with the help of an autoconfiguration script and after some hassle it was also possible to get it working on Android 6.0. After that, Gretzky was able to capture and decrypt https packets using the SSLsplit tool.
Equipped with his phone and the evil vpn, Gretzky went back to town and was able to intercept two PINs in a store by turning off his location services. In that case, verification by proximity to a beacon was not possible. He was also able to intercept an authorization package by turning his location services back on. Thus, the researcher was eventually able to conclude that the verification keys for adding points were constantly broadcast in shops and restaurants. By intercepting and modifying the correct package in Fiddler, it was then possible to earn free points, and therefore also beer.
In his blog post, Gretzky gives a few more tips for improving the security of the app, such as certificate pinning and code obfuscation.
The Estimote Beacons