Security analysis of 'Coffee meets bagel' Android app

A question was asked on Quora about suspicious behavior of 'Coffee Meets Bagel' Android app. I thought to perform some analysis on this app. I didn't have much time to thoroughly look into this app, so following are preliminary results of the analysis.

The app asks for following set of permissions:

Permissions:

    <uses-permission android:name="android.permission.INTERNET"/>
    <uses-permission android:name="android.permission.ACCESS_COARSE_LOCATION"/>
    <uses-permission android:name="android.permission.ACCESS_FINE_LOCATION"/>
    <uses-permission android:name="android.permission.WRITE_EXTERNAL_STORAGE"/>
    <uses-permission android:name="android.permission.ACCESS_NETWORK_STATE"/>
    <uses-permission android:name="android.permission.READ_PHONE_STATE"/>
    <uses-permission android:name="android.permission.RECORD_AUDIO"/>
    <uses-permission android:name="android.permission.CAMERA"/>
    <uses-permission android:name="android.permission.GET_ACCOUNTS"/>

    <permission android:name="com.zigct068.ddixg911.permission.C2D_MESSAGE" android:protectionLevel="signature"/>
   <uses-permission android:name="com.zigct068.ddixg911.permission.C2D_MESSAGE"/>
  <uses-permission android:name="com.google.android.c2dm.permission.RECEIVE"/>

And for a broadcastreceiver, it has following permissions

<receiver android:name="com.qbiki.gcm.GCMBroadcastReceiver"  android:permission="com.google.android.c2dm.permission.SEND">
      <intent-filter>
              <action android:name="com.google.android.c2dm.intent.RECEIVE"/>
              <category android:name="com.zigct068.ddixg911"/>
      </intent-filter>
</receiver>


Permissions and App Behavior:


  
<uses-permission android:name="android.permission.INTERNET"/>

The app needs this permission to download ads data and opening youtube videos etc. It may use it for other purposes, of course.

<uses-permission android:name="android.permission.ACCESS_COARSE_LOCATION"/>
<uses-permission android:name="android.permission.ACCESS_FINE_LOCATION"/>


Almost all the ad libraries including Google libraries use geo-location coordinates to obtain customized advertisements. Though some apps may encrypt this data before sending it out but most of them don't. If you are concerned about your location tracking, probably you should always use paid apps with no ads. Well, you still can't escape Google.

Here is quick search of getLongitude api call which returns longitude coordinate of the device (user). You can assume that at least these packages use location coordinates.

Following are four main packages:

1) com.google.*   - Google ad libraries and other libraries use location information
2) com.pollfish.* - It's another library that allows developers to survey their users. These surveys are based on geo-location coordinates, device resolution, screen size etc.
3) com.qbiki.* - This package contains original functionality of the app. I discuss it later.
4) org.apache.cordova.* - discussion is given below.

First two packages are from reputable organizations, so we can pretend to know that they won't abuse our private data.

4) org.apache.cordova.*

Apache provides a development framework using which you can build android as well iphone apps without actually writing code for it. You write code using apache API and it will create android and iphone apps for you. Cool. Isn't it?

To use apache framework, you need to mention a list of libraries you want to add into your application i.e. one library for each different functionality. And each library needs required android permissions, obviously. For example, in case of camera functionality, you need to specify following items:

Anyway, for the running app (Coffee meets bagel), the app developer has specific all the libraries apache provides, in its config.xml file (/res/xml/config.xml)

So to avoid breaking the app, the developer needed all those permissions. It is still unsure if the developer actually used any functionality or not.


 Decompiling and Recompiling the app:

 By looking into the dalvik byte code of the app, it appears that the developer has just added these libraries and probably is not using their functionality. So I decompiled the app, removed these libraries, removed following permissions,

 <uses-permission android:name="android.permission.RECORD_AUDIO"/>
    <uses-permission android:name="android.permission.CAMERA"/>
    <uses-permission android:name="android.permission.GET_ACCOUNTS"/>

recompiled the app and installed the app on my device again. So far, it is working the same as it was doing with the original version.

** Ideally, if the application invokes any API for which it does not have any required permissions, the app should crash but it is not doing so far. So, most probably, the app is not using much from org.apache.cordova.* library.



Suspicious code (com.qbiki.*):

The cordova libraries have code that can record audio/video files on the device. Similarly, in its original package code, com.qbiki.*, it contains code that can upload image files to the server. To be specific, com.qbiki.feedback.FeedbackFragment.submitfeedback() contains that code which can potentially upload image files to the developer's chosen server. But is this code actually executed or not?

Network traffic analysis:

I've played with the app for one day, executed roughly all of its functionality, monitored its network traffic for a few hours via tcpdump, and analyzed the traffic via wireshark. I took traffic dump at two different intervals and analyzed them. The app leaks some information about the device but I think, that's what every applications does now a days. 

 However, it does not seem to uploading images to the server. It does download a few files from the server such as

 XML: http://seattleclouds.com/myapplications/_publishers/appxygen/babydekdee/2162014coffeemeetsbagel/app.xml


Java script file: http://s.ytimg.com/yts/jsbin/mobile-blazer-nirvana-phone_mobile_blazer_noncore_nirvana_phone_mod-vflthpDZb.js

Performs registration of the app with the sever.

http://push.seattleclouds.com/gcm_register.ashx

It did not consume the link given in submitfeedback() method so far. But it is quite possible, it can. 


App Specific Files
The app contains functionality that can record audio files and store it in its app specific folder (/data/data/com.zig ... ).  I have kept this app running for one day, obtained files from the location and analyzed them, but have not found any recorded audio or video files there.  However, the app has permissions and code to store files on external memory (sdcard/Android/obb/) but I couldn't find anything suspicious there.


Conclusion

First of all, the app is a fake app. It does not do what it is supposed to do. It is not from the official CMB organization. However, its counterpart app on Apple app store is original.

Secondly, it has all required permissions (Camera, Contacts etc.) and potentially malicious code to exhibit malicious behavior (recording audio/video files and uploading it to the server). Probably I have missed those triggers or that code is executed after receiving some commands from the server.

If I have time in the future, I will spend some more time on it.

Decompiling and Recompiling Android apps using apktool

Decompiling Android app:

1) Download latest version of apktool from Author's website site. Unzip this file at some location on your machine.  Rename it to apktool.jar file.

2) Download the installer files from code.google site and copy into the same folder. For Windows, it has aapt.exe and apktool.bat files.

3) Copy some.apk file into this folder.

4) Press shift and make right click (together) on this folder and click on 'Open command window here' .

For decompiling, type

> apktool.bat d some.apk

If it gets decompiled without any error. Even if it is failed, it creates a new folder within current working folder and stores the files there. This is how a success message should look like.

If it fails at all, try step-6 and run this command again.

Recompiling:

6) Install framework file on your machine. For this, you need to extract framework-res.apk file from your device or emulator wherever your want to install after recompiling (I am not sure about emulator though).

On my Nexus-5, framework-res.apk file is located at /system/framework/framework-res.apk location. (Run <sdkLocation>/tools/ddms.bat  and go to File Explorer option to extract this file)

On the command window, type

> apktool.bat if framework-ref.apk

to install framework.

7) Now you can modify any decompiled file. But for testing, don't modify anything for now. We will just recompile the decompiled folder and see if it works or not.


Type

> apktool.bat b some [newFileName.apk]

APK file name is optional but you have to provide source folder name. It creates a new apk file inside 'some/dist' folder.

Possible output would be like.

8) Now we have broken signature of the original app, we need to make it correct. Online forums say that copying 'resources.arsc' file AND any other modified file from new APK to original APK would fix this issues, but in my cases it did not.

To copy these files, first extract these files from new APK file. Use any unzip utility like 7-Zip to get these files. Now using 7-Zip, in my case, open the old APK file and drop 'resources.arsc' and other files into this opened file. Old files will be replaced.

Ideally, this app should be ready for installation now.

9) Just in case, if it does not get installed on the device, use Zipsigner . Create a signed APK with this app and install it. It should get installed now.

How to zoom-in (out) text in Eclipse

1) Download the plugin from this site

2) Copy it in /plugin folder inside eclipse installation folder and restart eclipse.

-- If this does not work out, copy the plugin.jar file in /dropins folder.

3) Use Ctrl + + (Ctrl and Plus) or Ctrl - - for the functionality.

-- On my machine (Windows 7, Eclipse indigo- 1.4.2), Ctrl + shift + + works for zoom-in and Ctrl - -
for zoom out.