Preface
Pathao is a very popular Uber-style ride-sharing service based in Bangladesh. Pathao is a local startup backed by local Bangladeshi entrepreneurs, so they have a better understanding of the market than their competitors (Uber). Their marketing campaigns, despite being controversial at times, have been highly successful and they have established themselves as the main competitor to Uber in Bangladesh.
Recently I noticed that when I install Pathao on my Android Oreo smartphone, Pathao asks for SMS and Contacts permissions through the Android runtime permission interface. This is very unusual, and definitely not something a “ride-sharing” app would need. So as a head-to-toe InfoSec enthusiast, I decided to take a deeper look into Pathao and see what information is being transferred from my smartphone.
Setting up the MITM proxy
To see what Pathao sends to remote servers, first I need to monitor my Android smartphone’s web traffic. To achieve that I would need to pass my smartphone’s web traffic through my computer which runs a MITM proxy. I used Burpsuite as MITM tool, and I installed Burpsuit’s root CA as my phone’s trusted CA. This allowed me to decipher all SSL traffic originating from my smartphone and intercept these as unencrypted HTTP requests.
I set up Burpsuite to run a listener on port 8001. Since I was on a LAN, all I had to do next was to use my computer’s LAN IP as a proxy for my smartphone’s wifi.
So now my smartphone has to go through my computer’s MITM setup before sending anything to the internet.
Logging the requests
I started by fresh installing the Pathao app from Google Play.
Now it is time to open Pathao and see what it sends to remote servers. Everything Pathao sends or receives will be stored in my MITM proxy’s request history.
I opened Pathao from my app drawer. It asked me to put in my phone number. From my MITM proxy’s live log, I could tell that Pathao utilizes Facebook’s Account Kit to verify phone numbers. After submitting my number, I received an SMS from Facebook with a numeric verification code, which I had to put into Pathao.
After I was in, Pathao asked for location, SMS, and contacts permissions which I obliged. In the meantime, requests were being logged by my MITM proxy.
The Analysis
Let’s take a look at the MITM proxy log.
We see several SSL-encrypted POST requests to graph.facebook.com and graph.accountkit.com. These are necessary requests and are made by Facebook’s Account Kit which Pathao uses. We see similar POST requests to api.pathao.com which includes a unique identifier and are apparently also for authentication purpose.
We see a POST request to wzrkt.com, which sends our phone’s hardware and carrier details.
Next, we see three POST requests to api.pathao.com. These requests separately send our SMS, contacts list, and installed app list to Pathao.
Here is a Bengali-language video demonstrating everything in this post: