SIK-2017-057
Title:
Premium Feature Unlock Without Payment in Couple Tracker App
Report ID
SIK-2017-057
Summary:
- Vendor: BytePioneers s.r.o.
- Product: Couple Tracker -Mobile monitor (Package-Name: com.bettertomorrowapps.spyyourlovefree)
- Affected Version: 1.83
- Severity: medium
- Short summary: The premium features (see longer parts of partner’s SMS messages, remove advertisements, more frequent location updates, etc.) can be unlocked for free.
Details:
The app is available in the store in two versions: A paid premium version and a free version. In the free version, the features of the paid version (see longer parts of partner’s SMS messages, remove advertisements, more frequent location updates, etc.) can individually be purchased and unlocked for users who do not want to buy the complete paid app.
An attacker can modify the shared preferences file to unlock these features without paying:
<boolean name="l_location_full" value="false" />
<boolean name="l_fb_full" value="true" />
<boolean name="l_loc" value="true" />
<boolean name="l_sms" value="true" />
<boolean name="l_ads" value="true" />
<boolean name="l_sms_full" value="true" />
<boolean name="l_call" value="true" />
<boolean name="l_fb" value="true" />
However, the attacker must make sure to not launch the upgrade/payment wizard in the app. This wizard will reset the flags in the shared preferences. If the attacker never opens that view, he is fine and can enjoy the premium features for free.
The attack has been verified for removing the advertisements and obtaining the longer SMS messages.
Workaround
–
Suggested Mitigation
–
Timeline
- 2017-08-23: Vulnerability discovered.
- 2017-08-29: First email sent to developer
- 2017-08-30: Sent advisory to developer
- 2018-08-11: Published