How a Developer Hacked an Android App to Get a Free Beer
Imagine hacking an Android App just to get a free beer! This is what Kuba Gretzky, a developer from Poland did and earned himself a chilled beer.
Most pubs and restaurants around the world give free beers, dinners, or lunch coupons in their Android App to lure potential customers. Gretzky though that it would be worthwhile to hack such an offer and get something in return. In a post on BreakDev.org, Kuba Gretzky explains how he hacked EatApp Android app to bypass the beacon and earn himself a free beer.
Apparently, pubs and restaurants in Poland use Bluetooth Beacons for verifying purchases in a smartphone app to award bonus points and rewards. Gretzky hacked the broadcast signals and earned himself a beer.
Gretzky says in his blog post, “as an example, one of the places offers you a free beer for 5 points and each purchased beer grants you 1 point. That gives you a free beer for every 5 purchased beers in that place
Here is how he did it
Bluetooth beacons are wireless sensors that broadcast radio signals that are picked up by smartphones to unlock micro-location and contextual awareness. This helps the restaurants and pubs to verify purchases and also award patrons with points, offers and coupons. Gretzy found that most of these beacon in Poland are manufactured by a company called Estimote.
Gretzky studied Estimote’s App documentation which gave him inputs about the information beacon transmits. Further, he got access to an Android library to simplify listening to beacon broadcasts via any application. He then discovered that the broadcast range is up to 70 metres, so in theory, the broadcasted values that are probably used for authorising rewards are broadcast over the air.
Once he was able to hone in the range, he used the Developer App to gather critical information from the beacon. Then he used the HTTP/HTTPS Windows proxy Fiddler so he could intercept and decrypt HTTPS communication from the phone in the restaurant to learn how the application communicates with the server.
Once Fiddler was set up, he was able to intercept the public app’s traffic since they hadn’t implemented certificate pinning. Without the target restaurant’s beacon nearby, Gretzky used the venue’s place_idinstead, but could not guess the associated four-digit PIN.
While bruteforcing the four-digit PIN, he got his account locked down for 30 minutes after five failed attempts. He then set an interception VPN to be used over 3G/4G on his mobile phone while in the restaurant. This required a minor workaround to connect the VPN on Android 6.0, but Gretzky then began visiting restaurants to test the live packet capturing with the developer app, finding success in the third venue and collecting the broadcast values for UUID, Major number, and Minor number.
Gretzky released a simple script for decoding the sslsplit packets into clear text form, allowing him to confirm the values were the same in the request authorisation packet as those detected in live broadcast with the developer app.
It is more than likely that these values are constantly broadcast over the air in every affiliated restaurant, exposing multiple vulnerabilities to hackers. However, Gretzky was happy with the beer that he earned through the process.
He has explained the entire process on his blog here.