Read on Twitter
Covid 19 Tracking app thread. Will be looking into the app, might find stuff, might not.
First up, I've noticed that the UAT environment end point is accidentally leaked.
First up, I've noticed that the UAT environment end point is accidentally leaked.
This is http://au.gov.health .covidsafe btw - https://play.google.com/store/apps/details?id=au.gov.health.covidsafe
Tried to run through mitmproxy but I'm getting "Invalid phone number" which I think means connection failed due to certificate pinning...
hmmmm
This might be due to me dicking around. not sure.
I hope they haven't done that stupid census thing where the disable DNS requests from outside of Australia like twats.
Ok, well I'm going to assume that something is broken on the backend and look at the code instead of poking around in the app. I kind of wanted to get a feel of the user flows.
so these are the interesting endpoints
Looking at the gettempid, it looks like that's authenticated. The decompiler didn't like UpdateBroadcastMessageAndPerformScanWithExponentialBackOff so it's hard to work out what's going on there. If the IDs transmitted are directly based off the gettempid we could have problems.
Going to check out the upload user flow the best I can without the app and see what happens in there.
Ok, it's pretty hard reading through the instruction dump. I could probably mock out the backend to get it running but I might wait until the backend is back up so I can just try it for myself.
