Subject: Re: Security Controls - Bypass Confirmation (Android v4.2.1) Team, I've tested the October 15th release security controls on Android v4.2.1. Here's the bypass status for each measure: CLIENT-SIDE CONTROLS: 1. ✅ AES-256 Encryption of keys (Azure vault/Firebase) BYPASSED: Used Frida to hook X.b() method after Android Keystore decrypts credentials. The encryption is correctly implemented, but runtime memory inspection intercepts decrypted values at the Java layer. 2. ✅ Virtual/Rooted device detection BYPASSED: Hooked PLDSC.a() to always return false (device not rooted). App proceeds normally on rooted test device. 3. ✅ Code obfuscation (tracking logic) BYPASSED: Decompiled APK with jadx-gui. ProGuard obfuscation partially intact, but critical classes (X.java, PurolatorApplication.java) remain readable. Variable names reversed (KCART→TRACK) but easily identified. 4. ✅ SSL Certificate Pinning BYPASSED: Hooked CertificatePinner.check() to skip validation and injected custom TrustManager accepting all certificates. Successfully intercepted all HTTPS traffic via Burp Suite proxy. SERVER-SIDE CONTROLS: 5. ✅ Rate limiting on tracking requests NOT BYPASSED: Rate limits appear active. However, discovered APIM Management API (/.rest/apis) with no rate limiting - accessed 203,715 parcel records using extracted API key. 6. ⚠️ Geo-lockdown CONFIRMED: Easily bypassed with VPN (as you noted). IMPACT: All client-side controls defeated with single Frida script (perfect_bypass.js). Extracted API key: EJdhN2UPqA2ZC0otPdTee5JtzN1yeKHr5S0HpTxJ, accessed tracking API, APIM Management endpoints, and POD images. ROOT CAUSE: All security controls operate at Java/Dalvik layer where Frida has equivalent privileges. Rooted device + runtime instrumentation bypasses controls before they execute. RECOMMENDATIONS: • Implement SafetyNet/Play Integrity API for server-side device attestation • Add anti-hooking detection (check for Frida/Xposed frameworks) • Move critical validation to native code (JNI/C++) • Apply rate limiting to ALL API endpoints (including APIM Management API) • Bind API keys to device attestation tokens with server-side validation NOTE: The security controls are well-implemented from a coding perspective. This is an architectural limitation of mobile app security on rooted devices, not a development failure. Happy to discuss mitigation strategies or provide the Frida script for your security team's reference. Best regards, [Your Name]