Hacking solely using your un-jailbroken iPhone: using SiriShortcuts and HttpCatcher No laptop needed!
If you want a response regarding my #shiftgrabber or using #httpcatcher or doing api calls please send a tip first. Please note this does not guarantee I can solve your problem, just rather that I’ll give it a bit of thought! Otherwise I ignore them. Link to tip me:
https://buy.stripe.com/3cs9B36hB6IIbfOaEK
Working as a bike courier in Toronto has its ups and downs. I, like most other couriers really enjoy riding in the summer. I try to avoid working in the winter, only working minimal shifts to keep my accounts active. I’m signed up on every company, but I don’t work full time. Summer 2017 uber wasn’t paying so well so many of us were working foodora and unfortunately the shift grabbing wasn’t so easy. Shifts would drop Wednesday morning at 10 or 11 am depending on what group you were in. Group 1 was for the loyals- people who worked full time, didn’t refuse orders and were never late. However I was always in group 2 or 3 mainly because I worked few hours and generally avoided winter. So that meant 11am shift drop and those shifts were gone in mere minutes. What’s a girl to do? Well if you’re a weirdo like me you automate shift grabbing!
Best part is I did this all without having to head to my laptop and proxy my traffic through a program like fiddler or burp, this was solely done on my iphone. Although I later copied a few versions of the apps IPA files to go look through (it was never distributed via itunes).
The app I used for my sniffing of the app traffic is HttpCatcher. Here is the link: https://apps.apple.com/us/app/http-catcher/id1445874902
iOS allows its users to move certs on to the root and httpCatcher gives you a cert and even deals with apps that have OKHttp! So everything works right out of the box! Just move your cert over and start your sniffing…easy peasy. The app even allows for use of Regex for find and replace…so things can get interesting if you want to do some poking around of an app. Having this ability and not having to jailbreak is golden as alot of modern apps do various bahavioural checks and are aware of tools like Frida, etc etc. They make us jump through a lot of booby traps and are very knowledgable about commonly used tools and other things (aka “hide my jailbreak” or hide my root”, “ssl kill switch”…)
The app I was examining was using basic security protocols like https, and was using cert pinning…however that was all easy for me to bypass. Oh and the app was doing behavior checks for jailbreak, location spoof etc. But again I never needed that stuff and I know how to pass those tests.
Below is a sniff from HttpCatcher showing how the OAuth2 token was being generated:
The automation part was easy after I was able to sniff and figure out how the OAuth2 token was made (basically username/password in a certain json format). I used Siri Shortcuts to “make” my automation. Shortcuts allows you to essentially apply programming type logic by simply dragging and dropping modules. Almost like how they teach grade school children how to code. I used the module “get contents of url” for the bulk of my efforts. That module allows you to set the request method, pic of options below:
Below is a photo of some of my automation steps, I wont bore you with the whole thing but I think you’ll get my drift. I set date for 5 days ahead of the current date, as the shift drop occurred on Wednesdays for the following week.
Here is a link to a short video showing the shortcut in action. You’ll see I’m pressing a button to run the shortcut however that could have also been run with the catch phrase “hey siri dora shifts!”
https://www.youtube.com/watch?v=GChDyT6mjck
Oh and I was able to figure out they were using ISO 8601 to account for time because I knew the API they were using in their app. It was this one https://developer.squareup.com/reference/square/labor-api/search-shifts
Now as I was poking around the api calls I also found something else that was HIGHLY interesting… I was able to see orders as they were dispatched and that the company was using a deferred dispatching model to send them to me. to me including information about if the order tipped! Wow i was amazed. Sorta freaked out though as I knew that the tip information was hidden to couriers in general (app wouldn’t show that until order was complete). My mind went bonkers with the possibilities. I made a basic automation that would show me the tip info on an order before I would accept it. I also figured out a way to “game the system” in so that I would get the most profitable orders! Here is a pic of the api response from HttpCatcher that allowed me to figure this all out.
With this I made a simple automation to show tip value on orders before accepting (as mentioned above). I also was able to come up with several other ideas for programs and execute them. Here are pics of the automation steps for “show me the money!”
And here is a short video of the automation in action!
Well I think this is enough for tonight, but I may write again on this topic as I know it is interesting. I also found several other vulnerabilities within Foodora’s APIs and did inform their team. The issues have apparently been fixed.
MAY 19 2021 EDITED: Please do not contact me asking for help regarding this topic. THIS IS FREE INFORMATION so use it wisely. I am not getting paid to do this and have written this type of content out of the goodness of my heart to help other people. Unfortunately I’ve had a lot of people email/facebook me asking for help getting shifts/better orders and reality is my situation isn’t so good itself so offering me money and then not paying is well…sorta fucked up! So take the free information for what it is.. run with it from there. If you wish to donate here is my paypal: https://www.paypal.me/julzpak or here is BTC address (slightly less fraudulent then paypal and I’m more willing to trust it)
