<Thread> 2 days ago, India launched a mobile app "to fight against the   #COVID19"
I installed the app and I have 1 hour in front of me, let& #39;s see what I can find. https://twitter.com/vikramKadiam/status/1246105684976062464">https://twitter.com/vikramKad...
                    
                                    
                    I installed the app and I have 1 hour in front of me, let& #39;s see what I can find. https://twitter.com/vikramKadiam/status/1246105684976062464">https://twitter.com/vikramKad...
                        
                        
                        The app is available on the Playstore. First step is to install and use the app as a normal user  https://play.google.com/store/apps/details?id=nic.goi.aarogyasetu">https://play.google.com/store/app... 2/
                        
                                                
                        
                        
                        
                                                
                    
                    
                                    
                    
                        
                        
                        They detected that my device was rooted. Let& #39;s bypass that! 3/
                        
                        
                        
                        
                                                
                        
                                                
                    
                    
                                    
                    
                        
                        
                        I decompiled the apk and search the string the error message "due to security restrictions". This string appears only 1 time in the SplashActivity. Make sense 4/
                        
                        
                        
                        
                                                
                        
                                                
                    
                    
                                    
                    
                        
                        
                        Side note: I have no idea what I& #39;m doing at the moment  https://abs.twimg.com/emoji/v2/... draggable="false" alt="😁" title="Grinning face with smiling eyes" aria-label="Emoji: Grinning face with smiling eyes"> 5/
https://abs.twimg.com/emoji/v2/... draggable="false" alt="😁" title="Grinning face with smiling eyes" aria-label="Emoji: Grinning face with smiling eyes"> 5/
                        
                        
                        
                        
                                                
                    
                    
                                    
                    
                    
                                    
                    
                        
                        
                        Sorry I made a break to analyse a French thing ^^ I& #39;m back 7/
                        
                        
                        
                        
                                                
                    
                    
                                    
                    
                        
                        
                        My Frida code is not working and it& #39;s too late to debug it. I& #39;ll go for the easy route, I& #39;ll remove the root detection code from the apk  https://abs.twimg.com/emoji/v2/... draggable="false" alt="😁" title="Grinning face with smiling eyes" aria-label="Emoji: Grinning face with smiling eyes"> 8/
https://abs.twimg.com/emoji/v2/... draggable="false" alt="😁" title="Grinning face with smiling eyes" aria-label="Emoji: Grinning face with smiling eyes"> 8/
                        
                        
                        
                        
                                                
                    
                    
                                    
                    
                    
                                    
                    
                        
                        
                        Now, they want my phone number and I always have a problem when I try to login. Let& #39;s see if I can bypass that 10/
                        
                        
                        
                        
                                                
                        
                                                
                    
                    
                                    
                    
                        
                        
                        Somehow they detected that I monitored the network requests made by the app and throw me this error. Searching how 11/
                        
                        
                        
                        
                                                
                    
                    
                                    
                    
                        
                        
                        I& #39;ll check that later tomorrow 12/
                        
                        
                        
                        
                                                
                    
                    
                                    
                    
                        
                        
                        Lol
                        
                        
                                                    
                        
                        
                                                
                    
                    
                                    
                    
                        
                        
                        The WebviewActivity of the app can be used to open any url. There is no validation... Not the end of the world but it can be useful  https://abs.twimg.com/emoji/v2/... draggable="false" alt="😏" title="Smirking face" aria-label="Emoji: Smirking face"> 14/
https://abs.twimg.com/emoji/v2/... draggable="false" alt="😏" title="Smirking face" aria-label="Emoji: Smirking face"> 14/
                        
                        
                        
                        
                                                
                    
                    
                                    
                    
                        
                        
                        Time to sleep  https://abs.twimg.com/emoji/v2/... draggable="false" alt="😴" title="Sleeping face" aria-label="Emoji: Sleeping face">, I& #39;ll continue this thread later
https://abs.twimg.com/emoji/v2/... draggable="false" alt="😴" title="Sleeping face" aria-label="Emoji: Sleeping face">, I& #39;ll continue this thread later
                        
                        
                        
                        
                                                
                    
                    
                                    
                    
                        
                        
                        I wanted to check something before going to bed. I can use this "issue" to access my authToken. I will record a small video https://twitter.com/fs0c131y/status/1246217727913705472?s=20">https://twitter.com/fs0c131y/...
                        
                            
                            
                            
                        
                        
                        
                        
                                                
                    
                    
                                    
                    
                        
                        
                        It can be considered as a security issue  https://abs.twimg.com/emoji/v2/... draggable="false" alt="😁" title="Grinning face with smiling eyes" aria-label="Emoji: Grinning face with smiling eyes">
https://abs.twimg.com/emoji/v2/... draggable="false" alt="😁" title="Grinning face with smiling eyes" aria-label="Emoji: Grinning face with smiling eyes">
                        
                        
                                                    
                        
                        
                                                
                    
                    
                
                 
                         Read on Twitter
Read on Twitter 
                             
                             
                             
                                         
                                         
                             
                                     
                                    