#!/usr/bin/env python3 """ Check if Firebase is actually used in Purolator Android APK """ import os import sys def search_firebase_usage(): print("\n" + "="*80) print("FIREBASE USAGE ANALYSIS") print("="*80) search_patterns = { "Firebase Config": [ "deliverymate-d632e", "AIzaSyDzc8AbcelktMjauaLOnvoJaM1A_ySTZ5A", "985278381172" ], "Firebase Classes": [ "com/google/firebase", "FirebaseApp", "FirebaseDatabase", "FirebaseFirestore", "FirebaseMessaging", "FirebaseAnalytics" ], "Firebase Initialization": [ "initializeApp", "getInstance", "getDatabase", "getFirestore" ] } print("\n[*] Searching for Firebase usage patterns...") print("[*] This will help determine if Firebase is actually used\n") # Check if we're in the right directory if not os.path.exists('com'): print("[-] Not in decompiled APK directory") print("[*] Please run this from: C:\\Users\\Roose\\Downloads\\8c7481c52661c4933b707a14e6cd22ba-java") return findings = {} for category, patterns in search_patterns.items(): print(f"\n[{category}]") findings[category] = [] for pattern in patterns: # Search in all Java files cmd = f'grep -r "{pattern}" . --include="*.java" 2>nul' try: result = os.popen(cmd).read() if result: lines = result.strip().split('\n') findings[category].append({ 'pattern': pattern, 'count': len(lines), 'files': [line.split(':')[0] for line in lines[:5]] }) print(f" • {pattern}") print(f" Found in {len(lines)} locations") if len(lines) <= 5: for line in lines: print(f" {line[:100]}") except Exception as e: continue if not findings[category]: print(" (none found)") # Analysis print("\n" + "="*80) print("ANALYSIS") print("="*80) has_config = len(findings["Firebase Config"]) > 0 has_classes = len(findings["Firebase Classes"]) > 0 has_init = len(findings["Firebase Initialization"]) > 0 if has_config and has_classes and has_init: print("\n[!] Firebase IS actively used in the app") print(" Config found: Yes") print(" Classes found: Yes") print(" Initialization found: Yes") print("\n[*] Recommendation: Test Firebase authentication bypass") elif has_config and not (has_classes or has_init): print("\n[+] Firebase config found but NOT actually used") print(" Config found: Yes") print(" Classes found: No") print(" Initialization found: No") print("\n[*] Analysis: Likely dead code or web app leftover") print("[*] Focus on Salesforce vulnerability instead") elif not has_config: print("\n[*] Firebase config NOT found in Android APK") print("[*] Config likely comes from web app (JavaScript)") print("\n[*] Recommendation:") print(" 1. Check browser console on https://www.purolator.com/track") print(" 2. Look for firebase-app.js or firebase-config in network tab") print(" 3. Firebase is for web tracking, not Android app") else: print("\n[?] Unclear Firebase usage pattern") print(f" Config: {has_config}") print(f" Classes: {has_classes}") print(f" Init: {has_init}") if __name__ == "__main__": search_firebase_usage()