Did Pathao steal SMS and contacts? Dissecting the app to find proof.

For those who don’t know about Pathao, Pathao is Bangladesh’s Uber. Pathao initially started its journey as a delivery service. In 2016, pathao started bike sharing in late 2016 and car sharing in late 2017. In April 2018 Pathao was valued at USD 100M and Go-Jek invested USD 10M in Pathao.

On November 5, an infosec researcher named Ashik Ishtiaque Emon posted a video showing proof that Bangladeshi Transport Networking Company, Pathao is actively stealing personal data from its Android users.

Ashik has pointed out in the video(which has been removed along with all of his posts related to Pathao stealing data) that Pathao is collecting:

• Phone Hardware Details
• List of installed apps
• All contacts
• All SMS

While I tried to do the same with my android phone and failed to get the Pathao app running or capture anything using the MITM proxy I was using. I quick google search pointed me to the changes starting from Android Nougat where it states that “user installed certificates are no longer trusted”. So, his method shouldn’t work unless he recompiled the app with the burp suite’s certificate or he installed burp suite’s certificate as system level CA using adbtool. His demonstration makes the latter one more likely.

S̶o̶,̶ ̶I̶ ̶j̶u̶s̶t̶ ̶u̶s̶e̶d̶ ̶N̶o̶x̶ ̶p̶l̶a̶y̶e̶r̶ ̶e̶m̶u̶l̶a̶t̶o̶r̶ ̶r̶u̶n̶n̶i̶n̶g̶ ̶A̶n̶d̶r̶o̶i̶d̶ ̶4̶.̶4̶.̶2̶.̶ ̶A̶s̶ ̶t̶h̶e̶r̶e̶ ̶w̶e̶r̶e̶ ̶n̶o̶ ̶S̶M̶S̶ ̶i̶n̶ ̶m̶y̶ ̶e̶m̶u̶l̶a̶t̶o̶r̶ ̶p̶h̶o̶n̶e̶,̶ ̶I̶ ̶d̶i̶d̶n̶’̶t̶ ̶c̶a̶p̶t̶u̶r̶e̶ ̶t̶r̶a̶f̶f̶i̶c̶ ̶s̶h̶o̶w̶i̶n̶g̶ ̶S̶M̶S̶ ̶b̶e̶i̶n̶g̶ ̶p̶a̶s̶s̶e̶d̶ ̶t̶o̶ ̶t̶h̶e̶ ̶n̶e̶t̶w̶o̶r̶k̶. Unhappy with not being able to get the SMS, I installed mitmproxy’s CA as a system CA in an android emulator. It was far easier than rooting my phone and is recommended for security.

I would like to thank Md. Minhazul Haque for his Facebook status below about the existence of “SMS/Contacts” collecting code in the decompiled APK.

Phone Hardware Details

Ashik has claimed that phone hardware details are being sent to wizrkt.com.
wzrkt.com is an API endpoint of behaviour analytics and mobile marketing company CleverTap. While CleverTap is the brand name, the parent company's name is WizRocket.

CleverTap came to spotlight in Indian media after Elliot Alderson publicly posted on twitter about Indian PM Narendra Modi’s android app sending device info and personal information to CleverTap without user consent.

Based on the POST data, it can be assumed easily that Pathao is monitoring user activity in its app. Below is a sample POST request from the app to CleverTap server.

Pathao’s app made several POST requests about different interactions in the app. Pathao is also sending gender, phone number and email address with the requests. Many companies use CleverTap for real-time customer insights. Based on the requests made by Pathao app, it is same to assume that Pathao is doing the same. Though Pathao states in their privacy statement that they collect anonymous data, the inclusion of email address, phone number and gender in the payload doesn’t make it anonymous in any sense.

Requests sent to wzrkt

Pathao Collecting Contacts, SMS and App list

Pathao uses an API to interact with the app. In Pathao user app version 3.2.1, there are 81 endpoints listed for different activities. Every time a user opens the app, Pathao app completes the login via account kit. A GET request is made to https://api.pathao.com/v1/me, and Pathao returns user-information in a JSON format.

Requests made by Pathao app from open to exit

Without getting into the details about the Facebook AccountKit, branch.io links and other integrated services lets focus on the interesting part among the requests. Pathao sends two POST requests to api.pathao.com/v1/me everytime the Pathao is opened. After checking the request headers, it is clear

First request

that the requests are identical and contain the same headers in the image above with the request body being different.

The body of the other request contains the contacts saved in the emulator and the SMS sent or received.

One interesting fact is that in the request body, Pathao app is adding a field called “_method” and it’s value being “PATCH”.

Pathao also sends the list of all the installed apps in your phone which becomes evident once the other request is inspected. In the request body, it includes:

• Device ID, brand, model and OS version
• List of installed apps
• Google Cloud Messaging token(gcm_token)
• Package names of the installed apps

Though the JSON request body has “fcm_token” field which is for the Firebase Cloud Messaging token, the value is always null.

Digging into thesource code

The problem with the proofs above is that people might question the legitimacy of the information. And people did question the legitimacy of the demonstration Ashik did, and some considered it as an ill intent to destroy a reputable company which is competing against a behemoth like Uber.

Long story short, finding out the code behind the actions shown in the section above can validate it.

Before discussing the code behind SMS and contacts collections, let’s check the packages you will need to fetch contacts and SMS from the phone.

import android.provider.ContactsContract; //for contacts
import android.provider.Telephony; //for sms

Pathao used the following for accessing contacts and SMS

// for sms
import android.database.Cursor;
//for contacts
import android.provider.ContactsContract.CommonDataKinds.Phone;
import android.provider.ContactsContract.Contacts; 

Starting from Android KitKat, google introduced android.provider.Telephony to access SMS but Pathao decided to older technique of accessing the database for SMS.

Under pathao.com.utils.ApiEndpoints, Pathao has declared the following variables for sending contact and sms to their server:

public static final String SYNC_CONTACT_SMS = "https://api.pathao.com/v1/me";
public static final String SYNC_USER_DATA = "https://api.pathao.com/v1/me";

After decompiling all available apk on apkpure, I found that from version 2.5.1, Pathao added the code which sent the list of installed apps and its package names to their server. According to APKPure, version 2.5.1 was updated on 18th May of this year.

Pathao collected information about installed apps in its users’ phone for almost 6 months before removing it from version 3.3.4.

In version 2.5.1, Pathao added the class called “SyncDeviceInfoService.java” under “com.pathao.user.services” which dealt with sending the information to Pathao’s server.

Before inspecting the code, I was suspecting that they were sending HTTP.PATCH instruction by adding the field “_method” with value “PATCH” in the request body. The 27th line in the above gist confirmed my suspicion. If you have read the section discussing the requests, you will understand the lines from 27 to 34.

Pathao app calls the code shown above in

com.pathao.user.p010ui.core.landing.view.PlatformActivity

When the app starts, Pathao App sends app information after executing necessary user related task.

Pathao app added the class “SyncContactSMSCollection” in version 3.0.2 under “com.pathao.user.services” and removed it from version 3.3.3

Pathao collected SMS and Contacts of all of its users for two months because version 3.0.2 was published on 31st August 2018 and version 3.3.3 was published on 7th November 2018

Pathao app homepage.

Developers at Pathao implement it in homescreen activity under onResume.

Android activity lifecycle

onResume is called every time an user returns to the activity. When a user opens Pathao app or navigates to home page for example from “history”, “startSMSContactSync()” is executed along with “accessUserLocation()” which updates user location.

“startSMSContactSync()” calls “SyncContactSMSCollection” class which then collects and send SMS and contacts to Pathao’s server.

Pathao app uses two methods to collect contacts and SMS.

Contacts are retrieved by calling method “getAllPhonebook()”.

Judging from the code below and inspecting the POST request, it can be assumed that Pathao app collected only the primary phone number of the contacts.

Method for collecting SMS was probably obfuscated, or there are some issues with jdax decompiler as you can see below that the method is named “m5589a()”.

Inspecting the code makes it clear that the code above is indeed retrieving SMS from the phone’s database.

I believe pathao developers used this technique so that it covers phones running API level below 19.

SMS and contacts are bundled in a single JSON object and sent to Pathao’s server.

If you have read through the article, it should be evident to you Pathao did steal SMS and contacts from its users. Pathao app acted like any malicious app and collected sensitive personal information without user consent. Many argue that Pathao asks for permission for SMS and contacts and one should understand that Pathao will be reading it.

Pathao uses Facebook AccountKit to perform user login. So in no way, Pathao should need SMS read access to perform SMS verification. Even if they needed to do it for login, there are other ways to do it without breaching privacy.

The worse part of this incident is that Pathao’s officially denied about stealing SMS and contacts from its users. The guy who first discovered it has removed all references to the demonstration from his blog, Facebook and youtube. This raises the question of whether Pathao used influences to strong-arm him into removing the contents.

Here are my two cents regarding this:

• Pathao knowingly and intentionally collected sensitive personal information. Pathao should come clean about this.
• Pathao should let an independent body to audit their system and publish a report about the usage of the data. Pathao should also let its users access all the information they have collected so far.
• Lastly, revamping their TOS and privacy clearly mentioning the data collected of its users.