# Canada Post App - Security Analysis Checklist ## 🔍 Analysis Progress ### ✅ Completed - [x] Decompiled APK and analyzed structure - [x] Found Firebase Remote Config with OAuth credentials - [x] Successfully authenticated with OAuth fallback credentials - [x] Obtained valid JWT tokens (app-level attestation) - [x] Identified AWS Signature V4 implementation (o6 package) - [x] Located token inject interceptor (g9.w) - [x] Found session manager (g9.d) - [x] Identified root detection (Firebase Crashlytics) - [x] Found SSL pinning implementation (OkHttp CertificatePinner) ### 🔄 In Progress - [ ] Extract real user session tokens (requires login) - [ ] Determine if AWS signature is actually validated - [ ] Check SSL pinning configuration - [ ] Test anonymous tracking capabilities ### ⏳ Pending - [ ] Bypass user authentication - [ ] Access protected MyMail endpoints - [ ] Access protected Tracking endpoints - [ ] Test privilege escalation ## 🎯 Attack Vectors ### 1. **Authentication Bypass** (HIGH PRIORITY) **Goal**: Access user-specific APIs without proper authentication **Approach**: - Hook `g9.w.intercept()` to inject custom tokens - Hook `g9.d.a()` to return fake session tokens - Test if APIs validate token signatures - Try token reuse attacks **Tools**: - Frida hook: `frida_comprehensive_hook.js` - Python tester: `test_aws_signature.py` **Status**: ⏳ Waiting for VPN connection --- ### 2. **AWS Credential Extraction** (HIGH PRIORITY) **Goal**: Extract AWS access keys for API signing **Potential Sources**: - Firebase Remote Config (already checked - not there) - Hardcoded in app (search for "AKIA" prefix) - Environment variables - Retrieved at runtime from backend **Approach**: - Hook `o6.e` (AWS config class) to capture credentials - Hook `o6.m.a()` to see signing process - Monitor all API requests for X-Amz-* headers - Decompile and search for AWS-related strings **Tools**: ```bash # Search for AWS keys grep -r "AKIA" cpc/ grep -r "AWS.*KEY" cpc/ grep -r "SecretAccessKey" cpc/ ``` **Status**: ⏳ Needs investigation --- ### 3. **SSL Pinning Bypass** (MEDIUM PRIORITY) **Goal**: Intercept HTTPS traffic with Burp/mitmproxy **Implementation Found**: - `okhttp3.CertificatePinner` (uq.g in obfuscated code) - Default: `CertificatePinner.DEFAULT` (no pinning) **Approach**: - Check if app configures custom pinning - Hook `uq.g.a()` to bypass validation - Test with proxy (Burp Suite / mitmproxy) **Tools**: - Frida hook: Already in `frida_comprehensive_hook.js` - Proxy: Burp Suite / mitmproxy **Status**: ✅ Hook ready, needs testing --- ### 4. **Root/Emulator Detection** (LOW PRIORITY) **Goal**: Run app on rooted device/emulator **Implementation Found**: - `CommonUtils.isRooted()` in Firebase Crashlytics - Used for telemetry only (NOT blocking) **Approach**: - Hook `isRooted()` to return false - Check if app has other root checks - Test on rooted device **Tools**: - Frida hook: Already in `frida_comprehensive_hook.js` **Status**: ✅ Hook ready, likely not needed --- ### 5. **Token Manipulation** (HIGH PRIORITY) **Goal**: Modify JWT tokens to escalate privileges **Current Tokens**: - App-level: `cpc-appcheck-android` (OAuth fallback) - User-level: Unknown (need to capture) **Approach**: - Capture real user token via Frida - Decode JWT payload - Identify claims (user ID, permissions, etc.) - Test token modification - Test token replay attacks **Tools**: ```python import jwt # Decode token (no verification) payload = jwt.decode(token, options={"verify_signature": False}) ``` **Status**: ⏳ Need to capture user token first --- ## 🛠️ Tools & Scripts | Tool | Purpose | Status | |------|---------|--------| | `frida_ultimate_bypass.js` | **ULTIMATE** SSL + Root + Emulator + Analytics | ✅ **NEW!** | | `frida_comprehensive_hook.js` | Hook auth, AWS, SSL, root, emulator | ✅ Updated | | `frida_simple_auth_hook.js` | Lightweight auth + security hooks | ✅ Updated | | `test_aws_signature.py` | AWS Sig V4 implementation | ⚠️ Needs real creds | | `appcheck_bypass_REAL_POC.py` | OAuth authentication | ✅ Working | | `COMPREHENSIVE_EXPOSURE_TEST.py` | API endpoint testing | ✅ Working | --- ## 📋 Testing Workflow ### Phase 1: Dynamic Analysis (VPN Required) ```bash # 1. Start Frida server on device adb push frida-server /data/local/tmp/ adb shell "chmod 755 /data/local/tmp/frida-server" adb shell "/data/local/tmp/frida-server &" # 2. Run comprehensive hooks frida -U -f ca.canadapost.android -l frida_comprehensive_hook.js --no-pause # 3. Actions in app: # - Open app # - Login with real account # - Navigate to MyMail # - Track a package # - Check Frida output for tokens # 4. Capture user token and test APIs python test_aws_signature.py ``` ### Phase 2: Static Analysis ```bash # Search for AWS credentials grep -r "AKIA" cpc/ > aws_keys.txt grep -r "aws.*secret" cpc/ --ignore-case >> aws_keys.txt # Search for API endpoints grep -r "execute-api" cpc/ > endpoints.txt grep -r "amazonaws" cpc/ >> endpoints.txt # Search for hardcoded tokens grep -r "Bearer\|Authorization" cpc/ > auth_patterns.txt ``` ### Phase 3: Exploitation ```bash # Once we have real user tokens: python COMPREHENSIVE_EXPOSURE_TEST.py # Test all endpoints python test_aws_signature.py # Test with AWS sig # If successful: # - Document vulnerability # - Test data access scope # - Test privilege escalation # - Create disclosure report ``` --- ## 🚨 Risk Assessment ### Current Findings: **CONFIRMED:** - ✅ **OAuth Credentials Exposed** (Medium) - Fallback client ID/secret in Firebase Remote Config - Allows app-level authentication - Cannot access user data APIs **LIKELY:** - ⚠️ **User Session Required** (Expected behavior) - APIs properly check user authentication - App-level token insufficient - Need username/password for actual access **UNKNOWN:** - ❓ **AWS Credentials** (TBD) - May be hardcoded or retrieved at runtime - If exposed: HIGH severity (direct API access) - If not exposed: Proper implementation **NOT VULNERABLE:** - ❌ **Root Detection Blocking** - Only used for telemetry - Does not block functionality --- ## 📝 Next Actions 1. **Connect to VPN** ✋ (Waiting on you) 2. **Run Frida Hooks**: ```bash RUN_FRIDA_HOOKS.bat # Select option 1 (Comprehensive) ``` 3. **Login to App**: - Use real account - Monitor Frida output - Capture user session token 4. **Test User Token**: - Update Python scripts with captured token - Re-run `COMPREHENSIVE_EXPOSURE_TEST.py` - Check if endpoints return 200 OK 5. **Extract AWS Credentials**: - Check Frida output for o6.e hooks - If found, update `test_aws_signature.py` - Test AWS-signed requests 6. **Document Findings**: - Create final vulnerability report - Assess real impact - Prepare disclosure --- ## 🎓 Learning Resources ### AWS Signature V4 - Official AWS Docs: https://docs.aws.amazon.com/general/latest/gr/signature-version-4.html - Our implementation: `o6/m.java`, `o6/k.java`, `o6/n.java` ### Frida Hooking - Frida Docs: https://frida.re/docs/javascript-api/ - Our hooks: `frida_comprehensive_hook.js` ### Android Security - Root Detection: `CommonUtils.isRooted()` - SSL Pinning: `CertificatePinner` (uq.g) - OAuth 2.0: RFC 6749 --- **Ready for next phase when you're on VPN!** 🚀