“Hitting and kicking” the bundled App of their widest European distribution company. PREFACE Indisputably, are objects of cult. Delicious morsels of , always. In the beginning they worked offline with only, then, models started spreading. If I say “ ” I’m sure that better times will come to someone’s mind. But… In a bunch of years things changed radically. You distract and a moment after, find the world superseded by things connected to the internet… Vending Machines Hackers coins NFC- keys/cards COGES STORY One day I decided to interrupt seasoning myself in the bat-cave and direct to my hometown to get some sunlight, so I went to the University to salute an old professor. — he said— and we started chit-chatting while walking through the main corridor. “Go to have a coffee!” Once arrived… “let me pay, I have coins!”. “wait wait! let me use the Vending Machine’s App to pay, the coffee will be cheaper”. Me: Him: BLE + NFC “Mmm… Virtual wallets are cool stuff…”. Brain: Excellent. HOT-POT “I dare you to into that!” Soul: Hack “just pats on the shoulder if no bug bounty reward”. “ok, I’ll do that for educational purposes only”. “c’mon man, let’s screw that HEAP, great Jupiter!”. ~$ White Hat inner voice: ~ $ Grey Hat inner voice: ~ $ Black Hat inner voice: Later in that day… Pwnie express. ANALYSIS Needless to say that I picked up my dirty rooted smartphone (with ), installed the targeted from the and dumped the original to my laptop via . Android USB Debugging Enabled App Play Store *.apk adb # adb pull /data/app/com.sitael.vending-1/base.apk ./Argenta.apk I decompiled the with *.apk apktool # apktool d ./Argenta.apk -o ./Argenta and extracted sources with Java jadx # jadx ./Argenta.apk Firstly, I made the debuggable by editing the file by adding property to the *.apk AndroidManifest.xml **android:debuggable="true"** **application <tag>** Then, I rebuilt the *.apk # apktool b ./Argenta created a new with key keytool # keytool -genkey -v -keystore Argenta.keystore -alias Argenta -keyalg RSA -keysize 2048 -validity 10000 signed the with using the generated *.apk jarsigner key # jarsigner -verbose -sigalg SHA1withRSA -digestalg SHA1 -keystore Argenta.keystore Argenta.apk Argenta lastly, I it to make it runnable zip-aligned # zipalign -v 4 Argenta.apk Argenta-signed.apk and I installed the final *.apk # adb install ./Argenta-signed.apk I ran the App on the smartphone and I started looking at logs with by filtering them via its logcat package name # adb logcat --pid=`adb shell pidof -s com.sitael.vending` Nothing special found, so I started to comb through the source codes seeking for information. juicy Looking better at file, I found references to **AndroidManifest.xml** RushOrm So, first keyword search was **db_name** Cool. I booted up the on the phone seeking for Root Explorer **argenta.db** Found. So I pulled it to my laptop with adb # adb pull /data/data/com.sitael.vending/databases/argenta.db ./ and tried to open it with a DB Browser for SQLite obviously, it was password protected REVERSE-ENGINEERING Step back to the source codes, looked at **RushAndroidConfig.java** where I found the methods used to configure the database.My attention was caught by **this.encryptionKey = getDeviceId(context);** I moved to its definition and… Found that the targeted used the phone’s as for the . App IMEI **(*#06#)** encryption key SQLite database Abracadabra. Boom baby. After a couple of seconds of inspection, I opened to the table **UserWallets** and edited the field writing changes **walletCredit** then I pushed the database with back to the phone pumped credit # adb pull ./argenta.db /data/data/com.sitael.vending/databases/argenta.db VERDICT In the meantime, while I felt like (nostalgic and explicit reference to cheat code for ) I developed an utility to quickly / / the targeted ’s database on the fly. “Robin Hood” Age Of Empires +1000 gold Android dump restore tamper App then I went back to my University again to finally test the Hack Dear diary… CONCLUSION From , I could: zero-credit account > Inflate the App’s credit.> Buy stuff.> Get the remaining credit updated.> Go back to zero-credit state.> Inflate the credit again.> Start over. With a inspection of all the sources I found portion of code — — that meant . macro reversed huge clean without obfuscation no great counter-measures adopted to protect user data and make the App secure at all A month ago… The inner voice of me picked up the phone and called the behind this to report the vulnerability. I gently suggested them to the current architecture and develop a better and secure one from scratch. White Hat company shame toss Hocus bogus.