Security research – Android applications

Android applications are awesome. Especially the ones that talk to a service provider over the network.

I like to reverse engineer communication protocols / APIs between various client applications and their servers, since anything that my phone does, I could technically automate it or have access to the same functionality from my PC.

Today I looked into CleverTaxi, the largest solution to call a cab from your smartphone in Bucharest. I’ve noticed two problems:

– They talk to their server via HTTPS, but they don’t properly validate the certificate. So I could easily sniff all the API calls from my MITM network PC.

– The server API that makes the app work doesn’t require any authentication. For example, the app displays all the cab positions on top of the city map. For that functionality to work, the app makes a GET request to the server and gets a json response with the coordinates of all the cabs connected to the app. That API call is basically public and anyone can get the coordinates of all the cars, along with the company that owns each car. The positions are updated about each second, so I believe one could implement an algorithm that follows the feed of coordinates and tracks each car based on their position. I believe this is a privacy issue for the drivers.

Here I hooked the coordinate feed to Google Maps API (the icons were slightly changing position at 2 second interval):
Screenshot 1Screenshot 2