Peeking into a taxi app - Security findings.

A friend of mine who's working on a taxi app asked me to take a look at it and give feedback. From my end, I want to take a slightly deeper look into the app and see what I can find.

January 9th 2018

10:05 As with everything, I try to do some research on the people behind the app first. This can help with all sorts of things especially with regards to trying to guess strings that might exist inside of the app. So far what I've found is a:

  • Webiste - Turns out you can book from the website as well. This might prove to be useful if I want to see how requests are being made to the backend
  • App - The standard client app
  • Driver app - This one was a great find. It doesn't appear unless you search for it via a web search engine since it's marked incompatible with all my devices.
  • Some miscellaneous launch articles

10:12 Downloading the APK files using apkfind

10:20 Looks like apkfind is over its quota. At least I got the client app. Will have to wait to dive into the driver app. Right. Let's get cracking then.

Opening up the client app

10:24 Decompiling the app using apk decompiler. I should probably download android studio while I'm at it.

10:33 Done. Time to read the source. I'll just use sublime for now.

10:36 Looks like they are using firebase for some backend operations.

10:37 And there we are. The config file is available for all my strings.

11:03 And after a break (putting the baby to sleep), I'm back. It looks like the app is using CodeIgniter as its backend framework.

11:09 Somewhere in the backend it also looks like its using an Express app. If I had to guess I'd say that's where the website stuff is being powered from. Hard to say.

11:11 Just realized something. The app is running on http. Well, that's strike one.

11:17 Should have done this before. Actually installing the app to see what the flow is like. Sadly I don't have all the tools installed to capture traffic on my laptop. :(

11:37 Broke out postman and I'm trying to reverse engineer the API. So far I've gone ahead and added and verified my phone number. Tried a few SQL injection attempts and it looks secure. Good stuff! :)

11:53 Small possible bug found (after putting son back to sleep :D ). Will disclose and then update.

Pausing. Son doesn't want to sleep :D

13:06 Came back. Found the data leak I suspected would exist. Will disclose. Should be trivial to patch

January 10th 2018

So a quick note from above. I didn't type in too much because

a. I was about to head out for a meeting with the team responsible for the above app
b. I wasn't sure how to type about security issues in a responsible way when live logging.

In the mean time I've been helping out the team with several possible newly discovered attack vectors and just helping them get setup to close off all possible entry points from both client and server side.

For context of anyone who ever wants to work on this kind of thing, my general steps are:

  1. Decompile app
  2. Find whatever URL and API strings you can in the app by doing searches for things like "http" or ".com" or "KEY".
  3. Look for how those values are being used in the app. This will help inform you what to do when reverse engineering HTTP requests
  4. Open up Postman (curl will work fine, but Postman's interface is just too good to say no to), and start making requests to all those URL's you've found. Mix and match parameters. Try out different methods (sometimes a server can yield odd results for a GET requests when it was expecting a POST to a given endpoint)
  5. If you find anything that can be used offensively DO NOT do that. Immediately reach out to the company in whichever way possible, inform them that a possible breach exists, and that you have not fully tested it. Ask them for permission to test if you can.
  6. Be responsible. Not harmful :)

Also, I'll be marking this project complete here. When the bugs are complete, I'll get permission to write a disclosure post on the engineering blog and if I do, I'll be able to dive into bugs found. Mind you, these are not uncommon things. I've analyzed several apps made by startups in SL and many of them had the same issues, so I assume there'll be knowledge in this that'll be helpful to all.

Posted on January 09 2018 by Adnan Issadeen