Posted on
android security reverse-engineering

Decompiled the cocacola QuickTap app to see how it worked.

8f4a38321179f79eca3301a63dd66455 *nz.co.ccamatil.quicktap-1.apk

TL;DR it’s all remotely federated, there’s zero chance for free drinks unless you’re comfortable either (a) fuzzing coke servers for vulnerabilities, or maybe (b) sniffing other people’s requests and ordering on their account.

A physical QR code scan (zxing) is used to set location, and then the phone makes http requests to the coke server to remotely initiate vending.

It uses https (with a privately pinned certificate?) as well as some home-rolled checksumming (HMAC-SHA1 and CRC32 together?) and encryption (AES but a constant IV, didn’t look into key generation). The backend server is ASP.NET going by the URLs, there’s a lot of dev/test URLs and DEBUG constant checks still present in the app but nothing that’s obviously exploitable.

The most interesting part is that they didn’t run an obfuscator, all method/class/variable names 100% legible (“so i got that going for me, which is nice”). There’s also a bundled copy of Helvetica Neue, i don’t know whether that’s allowed to be distributed like that (and the choice of font tells you that the designers use OS X).