It’s still too easy to hack the Amazon Flex app

THE INFORMATION HERE IS FOR ENTERTAINMENT PURPOSES ONLY. THESE ACTS WERE NOT ACTUALLY COMMITTED BY ANYONE ASSOCIATED WITH THIS WEBSITE.

It’s been awhile since we posted about how easy it was to hack Amazon Flex to give yourself an edge on the competition. To recap we setup a man-in-the-middle (mitm) proxy, connected our phone to it, and then opened the Flex app. The mitm application would then output all sorts of juicy information that we could use to our advantage.

It was so easy, too easy, to get all the information needed to create a script that automatically grabs blocks straight from Amazon servers. A script similar to what real Flex drivers have been using for a long while. A program that’s impossible to compete with and something honest Flex drivers have been expressing frustration about for years. Surely Amazon has done something about it by now.. right?

Let’s do it again!

I have all but forgotten how to setup a mitm proxy, but I’m curious to see if it’s still as easy as it was 7 months ago to snoop in on the Amazon Flex app. Let’s see if it’s like riding a bike. We’re about to go on an adventure! A hacking adventure, and this bike is tandem, hop on. Hopefully this time Amazon has secured their server communications so that amateur hackers like you and I cannot so easily intercept information that was never meant for us to see. But i have my doubts about that.

Hard mode – Using Windows 7

Last time we did this we used Kali Linux which is a penetration testing Linux distribution. Basically, it had all the tools we needed for the job already installed on the system. This time we’re going hard mode and starting from scratch using a Windows 7 PC. Lets begin.

Installing Charles Proxy

I’ve used this before and as I recall it was fairly easy and user friendly. Charles is going to serve as the man-in-the-middle proxy that we’ll connect our phones to. Then Charles will give us all the behind the scenes info as we use the Amazon Flex app. We can think of Charles as our “man on the inside”. The Amazon Flex programmer who’s spilling the beans to us about how the app works, except he’s a computer program and not a real person.

Setup Charles

Alright, Charles is up and running. He’s a disgruntled programmer who works on the Flex app. He’s ready to tell us whatever we want to know. He tells us he’s going to set up a network that we need to connect our phones to in order to snoop in on app traffic. We do this and Charles confirms that we’re good to go.

Running Apps

Now that this phone is connected to Charles, we could in theory try to snoop in on any Android application, but most of them are secure and it won’t be so easy. It would take several more complicated steps that would take this adventure from amateur to advanced. That’s how it is with most Android applications, they’ve secured their API communications, hopefully Amazon Flex has followed suit and this wont work.

The moment of truth

Charles is running, we’ve connected the phone. We’re ready to run the Amazon Flex app and see what happens. We put our hoodie up, sunglasses on, and transform into a stereotypical 90’s movie hacker.

It worked

Admittedly it was a little harder this time. Not sure if that’s a result of Amazon taking extra measures to deter scripts or if it was a change with Charles Proxy. I had to do some Googling and extra configuration to the proxy but I was able to get the info I wanted from the Flex app in plain text.

First I went to the offers screen and refreshed while viewing Charles Proxy on my computer. What I was looking for here is the list of offers returned from the server, what I want to get is an offer ID, and here it is:

Here we have a block priced at $57 surging 6% and it’s offerId is on the 7th line. So what? You might say. Well, lets see what happens when we snoop in while accepting an offer.

Here we accepted that very same offer shown before. As Charles has shown us, accepting an offer only requires one piece of info, you guessed it, the Offer Id.

With a little scripting knowledge we could now use this info to create a program to look for new Amazon Flex offers, GET available offers id’s and POST a request to accept it. This script would run on our computer or server at our leisure. No honest driver could ever hope to compete with it, and we would be getting all the blocks we wanted.

This is what some drivers are actually doing! This is what drivers are talking about when they complain about “script users”. It’s not a conspiracy, it’s not a rumor. It’s a very real issue. It’s a plague to Amazon Flex and a disappointment to see that the largest retail company in all of the world has made it so easy to take advantage of their system. Despite it being a well known problem they STILL haven’t taken the steps to secure the Flex app’s communications, which would undoubtedly hurt script users and help honest drivers.

To Amazon Flex devs I must say:

Until next time friends. Appreciate you, be safe and flex on!