You are here

How a Developer Hacked an Android App to Get Free Beer

Bluetooth beacons are wireless sensors that broadcast radio signals that are picked up by smartphones to unlock micro-location and contextual awareness. A connected app on your phone can interpret the beacon’s proximity to locations or objects by type, ownership, approximate location, and motion to connect your device to the real world.

The technology is used in a range of pubs and restaurants in Poland for verifying purchases in a smartphone app to collect points and earn rewards. In a recent post on BreakDev.org, Kuba Gretzky explains how he hacked an Android app to bypass the beacon and earn himself free beer.

The manufacturer’s SDK documentation shows what information the beacon transmits, and they also publish an Android library to simplify listening to beacon broadcasts via any application. He then discovered that the broadcast range is up to 70 metres, so in theory, the broadcasted values that are probably used for authorising rewards are broadcast over the air.

The manufacturer provides a Developer App for debugging and troubleshooting, and it also gathers critical information from the beacon. So, the author used the HTTP/HTTPS Windows proxy Fiddler so he could intercept and decrypt HTTPS communication from the phone in the restaurant to learn how the application communicates with the server.

Once Fiddler was set up, he was able to intercept the public app’s traffic since they hadn’t implemented certificate pinning. Without the target restaurant’s beacon nearby, Gretzky used the venue’s place_id instead, but could not guess the associated four-digit PIN. The account locked down for 30 minutes after five failed attempts, so he began setting up an interception VPN to be used over 3G/4G on his mobile phone while in the restaurant.

This required a minor workaround to connect the VPN on Android 6.0, but Gretzky then began visiting restaurants to test the live packet capturing with the developer app, finding success in the third venue and collecting the broadcast values for UUID, Major number, and Minor number.

Gretzky released a simple script for decoding the sslsplit packets into clear text form, allowing him to confirm the values were the same in the request authorisation packet as those detected in live broadcast with the developer app. It is more than likely that these values are constantly broadcast over the air in every affiliated restaurant, exposing multiple vulnerabilities to hackers.

Original Article

How I Hacked an Android App to Get Free Beer

 

Comments

Justin Cayse

So he figured out a novel way to cheat a small business owner out of a product that they have to pay a supplier for.  Great job!

 

Customer loyalty programs don't need to maintain dual-control checks and verifications to prevent fraud.  These sorts of apps can be made to be simple for users and employees because the business is always going to rely on employees as the last line of defense -- if this guy were to come in every day, or every week demanding his free beer for his 10th visit, the employees are going to eventually catch on and tell this guy to hit the bricks.  Meanwhile, this inexpensive app is doing what the owners want it to do for 99.99% of their customers.

 

This might be an issue once restaurant and cafe owners find the technology to prevent all dine and ditch losses.  Because they're going to lose a lot more on those than this app's "flaw" will ever lose them.

Murtlap

Great tips. That's why it is essential to have a good vpn service. I prefer to stay anonymous while surfing the Web. I don't want that some hackers steal my personal information. Usually I use expressvpn that I found on https://myipservices.com/vpnrating/ . Convenient service.