I got a freelance job to test the security of an android app . It is of a restaurant chain like KFC but small . My friend bought me the job as he knew the CEO personaly . The app has about 12000 downloads . So i downloaded the app and reversed it . The app was a hybrid app made with technologies like cordova . I fired up my test phone , connected it to mitmproxy and started exploring the app . The first thing I noticed was it was using simple http .
I then stopped mitmproxy and started using burp plain http . My first instinct was to search for IDOR . You should look at your user profile while looking for IDOR . They load your profile like this: “ /user/profile/1 or ?profile.php?id=1” . I clicked the “Profile” button . My burpsuite intercepted that request . The app was using my id to fetch my profile data . My profile data contains my name,address,phone,email etc. I sent the request to a repeater and changed the id . I could see data of anyone I like by changing the id.
After tinkering around I also found account takeover through password change ,sql injection etc,otp bypass. I then reported to the company and got my money .