How Ride-hailing app Pathao is dangerously close to malware
Pathao, Bangladesh`s version of Go-Jek- country`s most successful two-wheeler ride-sharing app of bangladesh is facing some immense criticism.The Pathao app is accused of collecting users: List of installed apps,All contacts,All SMS and sending all these confidential user data to their server on a regular basis — just like a malicious/spyware app .
Pathao, uses a classical misdirection approach always used by magicians , to trick the users to give permission to access messages & contacts. Whenever the app is installed, the user is prompted saying, inorder to function properly and give the users best experience the app needs to get the location/gps permission .
Then the user is prompted by android to give permission to the app for accessing location.
Everything was fair, up until this point. But then, out of nowhere the user is prompted by android(not the app) to give permission to the app for accessing contacts and sms.
See, how Pathao is misdirecting you to give unsolicited permissions. As a professional magician, I use such technique to keep my audience busy looking at a big object while I vanish small objects in front of their eyes- without them ever noticing.
The user`s were at first given proper reasoning why the app needed the device`s location permission to work properly, but it did not give any reason as to why it needed the permission to read SMS/contacts.
90% of the users never notice that they gave the app the permission to read the sms or contacts.
There was a claim in social media video , that pathao is collecting users: All contacts,All SMS and sending all these confidential user data to their server .
As an information security professional, I tried to find it out myself- is the claim really true?
Here I am describing 2 ways , how I got sure pathao is stealing data:
- Doing a Man in the Middle Test , to check what data pathao app is sending to server
- Decompiling the pathao app source code, and doing a forensic analysis of its code
METHOD 1: Doing a Man in the Middle Test:
Firstly, I downloaded and launched Burp Suite (free, community edition is sufficient). Then I enabled a proxy module: by setting up our mobile phone`s wifi`s internet proxy to our laptops ip. In the laptop we had installed Burpsuite software and burp listened to the port at which our mobile was connected.
We downloaded the burpsuite`s Portswigger CA in our mobile.
Went to mobile` Settings -> Security -> Trusted Credentials should show the new “Portswigger CA” as a system trusted CA.
Now it’s possible to set up the proxy and start intecepting any and all app traffic with BurpSuite
The https traffic analysis:
Pathao sends two POST requests to api.pathao.com/v1/me everytime the Pathao is opened.The body of the request contains the contacts saved in the phoneand the SMS sent or received.It sends the updated SMS of the user`s phone every after few minutes. The following image shows the messages that pathao had spoofed it to its server:
It sends the updated SMS of the user`s phone every after few minutes. The following image shows the messages that pathao had spoofed it to its server:
They were also sending whole contactlist of the user`s phone to their server. And they were sending it over and over again- if the pathao app is kept open.
Thanks to Mr. Ashik Ishtiaque Emon, who first did this Man in the middle test- and brought this issue to limelight.
METHOD 2: Decompiling the pathao app source code
Finding out the code behind the actions shown in the previous method can be a surefire way to validate that — pathao is really sending the private data to its server. I first got the idea to decompile the app from Sazid Hossain Banna`s blog , he does an amazing job on dissecting into the details
Did Pathao steal SMS and contacts? Dissecting the app to find proof.
Did a Bangladeshi TNC “Pathao” valued around 100M USD steal SMS and contacts of its users for two months?
We decompiled the pathao APK 3.3.0, to get its source code.
In pathao.com.utils.ApiEndpoints, Pathao has declared the following variables for sending contact and sms to their server:
public static final String SYNC_CONTACT_SMS = “https://api.pathao.com/v1/me";
public static final String SYNC_USER_DATA = “https://api.pathao.com/v1/me";
We found the class which collects and send SMS and contacts to Pathao’s server- its named “SyncContactSMSCollection” .
“getAllPhonebook()” method is used to fetch the contacts .
The function for collecting SMS is “m5589a()”
Anyone who is familiar with java can easily see- pathao is scrapping all the contact-list and sms of the user , everytime the pathao app is opened.And it keeps syncing- every-time it detects new sms or contacts, it is bundling them in a single JSON object and sending them to Pathao’s server.
You can also notice from the https traffic analysis that , Pathao is using Facebook AccountKit to perform user login. So in no way, Pathao should need contact/SMS read access to perform SMS verification.
Pathao is sending sensitive personal information without user consent to their server- just like a malicious app . User`s sms contains personal identification information: like bank account number, bkash account number,OTPs,credit/debit card number, passport/visa tracking number. And sending these identification informations to server is a violation of Digital Security Act-2018 (Paragraph-26).The sheer amount of data available in SMS messages from a million people is very dangerous in the wrong hands.
There is a name for the apps which stealthily send users private data continuously — its called Malware/Spyware. A 100 million dollar valuation promising tech product- acting like a Malware is truly shameful .
About the Author:
The author- is an information security professional. He is the Co-founder of Obboy Labs(http://obboylabs.com) , a blockchain tech startup. He is also an internet security consultant to ICT Division, BD and leads their Certificate Authority project.