Ola Cabs Privacy Security Issue discovered by AppWatch

Hello Everyone,

At Attify, we have been working on months now to come up with AppWatch , the best mobile security assessment platform to help developers, penetration testers, managers and even* CISOs* for the enterprise mobile security.

We launched an early community version of AppWatch 4 months back, and got some really great response from the developer and security community. Thanks everyone for helping us improve AppWatch and making it more relevant to your needs.

We are currently working actively to come up with the next version of AppWatch, and evolving it from a tool to a complete mobile security platform for enterprises.

This blog post will discuss one of the vulnerabilities we discovered with AppWatch in Ola Cabs (a major competitor to Uber), the most popular cab ride service in India.

The vulnerability lies in one of their APIs, revealed during the application usage. (Sorry, we are not allowed to reveal the exact technical details of the vulnerability).

So, in order to identify the vulnerability, a pentester would :

  • Need to install and run the application
  • Set up proxy on his host system
  • Configure proxy in the Android device
  • Look into each and every requests to find the vulnerability

This process typically takes 3-4 hours of work for a skilled pentester.

With AppWatch, you can find the vulnerability, as well as create a POC in less than 5 mins. That’s how powerful and easy to use AppWatch is.

The first step is to login to your AppWatch portal. Since, Google Play support is already integrated in AppWatch, you just need to search for Ola Cabs in the search box.

[![AppWatch - The best mobile security platform](http://blog.attify.com/content/images/2015/02/attify-login-screen.png)](http://blog.attify.com/content/images/2015/02/attify-login-screen.png)AppWatch Login Screen
Once you start analysis, it will automatically create a new instance for you (we love [Dockers](https://www.docker.com/)), where it will install and run the application. You will have a screen looking something similar to the one shown below.
[![Analysing Ola Cabs in AppWatch ](http://blog.attify.com/content/images/2015/02/screenshot-with-no-network-traffic.png)](http://blog.attify.com/content/images/2015/02/screenshot-with-no-network-traffic.png)Analysing Ola Cabs in AppWatch
You can use the application normally, and AppWatch will show you the **real time application’s network traffic**. AppWatch is an **intelligent platform**, with which it automatically** identifies APIs which could be vulnerable**. As soon the app does something which AppWatch identifies to be vulnerable, it simply displays a *vulnerable* tag along with the request.
[![AppWatch identifying vulnerable APIs ](http://blog.attify.com/content/images/2015/02/vulnerable-tag.png)](http://blog.attify.com/content/images/2015/02/vulnerable-tag.png)AppWatch identifying vulnerable APIs
You can now click on the **request** to have it expanded to show you both the request and response with all the parameters and headers, which you can modify and replay from the same window. [*Isn’t it awesome*](https://appwatch.io)?
[![Editing live requests in AppWatch](http://blog.attify.com/content/images/2015/02/editing-live-requests.png)](http://blog.attify.com/content/images/2015/02/editing-live-requests.png)Editing live requests in AppWatch
Once you hit replay, and see that it’s really vulnerable, you can easily create a POC by clicking on the **Create POC** button in the replayed request. AppWatch automatically identifies what kind of vulnerability it is, and shows you corresponding POC creation parameters.
[![Automated POC creation in AppWatch](http://blog.attify.com/content/images/2015/02/creating-poc.png)](http://blog.attify.com/content/images/2015/02/creating-poc.png)Automated POC creation in AppWatch
You can now configure the parameters, and click on** Create POC** to have AppWatch generate the complete vulnerability POC for you. You’ll see the URL of the newly created POC there itself. Depending on the vulnerability found, the POC generated will be different, and you can even customize the complete POC according to your needs.
[![POC Creation complete](http://blog.attify.com/content/images/2015/02/poc-created.png)](http://blog.attify.com/content/images/2015/02/poc-created.png)POC Creation complete
Once the POC has been generated, you can go to the POC link, and it looks something like this as shown below.
[![Ola Cabs Security Issue POC Website](http://blog.attify.com/content/images/2015/02/Screen-Shot-2015-02-02-at-4.28.21-AM.png)](http://blog.attify.com/content/images/2015/02/Screen-Shot-2015-02-02-at-4.28.21-AM.png)Ola Cabs Security Issue POC Website
The vulnerability reveals the complete user details of any user, how much he has travelled, his recent travel bookings, Wallet details including the credit, amount credited and debited, previous booking reference numbers and much more – all with just the user’s email id.

Below is a video demo of the vulnerability mentioned in the blog post.

Thanks for going through the blog post. If you are excited about AppWatch and want to try it out for free, as soon as it launches in March 2015, sign up at https://appwatch.io . Also, just AAMOF, we recently also found a vulnerability in one of the apps by Twitter, using AppWatch (in less than 5 mins) which landed us a bounty of $980. 🙂

Please direct all mails regarding the blog post to secure [at] attify [dot] com . If you want to share this on twitter, please mention us at @attifyme .

Also, if you’re from India, Attify team will be present at an upcoming event Nullcon in Goa from Feb 5th-7th, and in StartupGrind at Redmond City, CA, US from Feb 9th-11th. Also, if you’re from the Bay area, feel free to drop a mail in case you want to discuss about your enterprise security issues and how Attify can help you solve them.

We appreciate the responsible disclosure policy by Ola Cabs, and we made the post public only when the vulnerability was completely patched. The ultimate goal is to support the startups who are helping us everyday, like Ola, and not to harm their reputation.

Here’s a quick timeline :

Vulnerability Disclosed to Ola : Feb 1st, 2015
Vulnerability Patched : Feb 3rd,2015 (Amazingly fast response by Ola Security Team)
Blog Published  (Made public) : March 23rd, 2015

It’s really good to see Indian startups like Ola focussing so much in security, and patching the reported vulnerabilities in less than 48 hours time. We love working with companies, their security team and developers and making their applications secure.

Contact us to get the security assessment of your application done or to get AppWatch for your organisation.

A list of services Attify currently provides –

[![Attify Mobile and IoT Security ](http://blog.attify.com/content/images/2015/02/attify-services.png)](http://blog.attify.com/content/images/2015/02/attify-services.png)Attify Mobile and IoT Security
Signing off.

Attify Team
(@attifyme)



comments powered by Disqus
Tags
Android android application security android hands on security and exploitation training android security Apktool application auditing application security auditing appsec usa appwatch attify attify badge attify training binwalk blackberry pentesting blackhat ble BLE hacking and exploitation BLE sniffing box brut Exception chroot cloud based mobile application security scanner consulting CTF Damn Vulnerable iOS App devops dumping memory embedded hacking exploitation exploiting smart devices Firmware hacking frida hackfest hacking smart devices how to secure iot device IDA internet of things Internet of Things Security ios application security ios security iot iot device IoT Exploitation iot hacking iot pentest iot pentesting iot security iot security training iotsecurity jtag jtag debugging mobile app mobile application security mobile application security testing mobile security ninja recon technique offensive iot exploitation ola cabs owasp owasp appsec penetration testing pentesting pentesting mobile apps powerofcommunity PrinterSecurity qemu quizup radio communication protocol radio coomunication Reversing sdr secure coding guidelines security security issue security services security training security vulnerability smart devices social networking spi threat modeling training uart vulnerability writeups xposed hooking zigbee zigbee exploitation zigbee security zwave firmware reverse engineering firmware emulation firmware analysis toolkit firmadyne getting started with firmware hacking iot penetration testing

Instagram