Client Overview:

A customer‑facing ride‑hailing mobile application that allows users to book cars and bikes, including off‑road and desert rides, engaged our security team to assess the security of its Android application and supporting backend services. The platform relies heavily on real‑time location tracking, dynamic pricing, and driver–rider interactions, making it a complex and high‑risk environment.

Objective:

The objective of the engagement was to identify vulnerabilities that could:

Enable unauthorized ride bookings or fare manipulation

Allow impersonation of drivers or riders

Expose real‑time location and personal data

Compromise backend dispatch and pricing systems

Methodology:

The assessment followed OWASP Mobile Top 10 and OWASP API Security Top 10, and included:

Mobile application static and dynamic analysis

API and backend service testing

Authentication, authorization, and session handling testing

Business logic and pricing workflow abuse testing

Exploitation and validation of critical findings

Key Findings

The assessment identified several critical, high, and medium‑risk vulnerabilities specific to ride‑hailing functionality:

🔴 Critical Severity:

Fare Manipulation via Insecure Pricing API

Attackers could modify ride distance and fare parameters, resulting in under‑priced or free rides.

Driver Impersonation Through Broken Role Validation

Allowed users to perform driver‑only actions, including accepting rides and viewing rider locations.

🟠 High Severity:

Real‑Time Location Disclosure

Unauthorized access to live driver and rider GPS coordinates via exposed APIs.

Ride Hijacking via Booking ID Enumeration

Allowed attackers to access or cancel active rides by manipulating ride identifiers.

Account Takeover via Weak Session Management

Enabled attackers to take control of rider accounts and book rides without authorization.

🟡 Medium Severity:

Insecure Storage of Authentication Tokens Outside Keychain

Insufficient Certificate Validation Under Certain Network Conditions

Verbose API Error Messages Exposing Internal Logic

Impact:

If exploited, these vulnerabilities could have resulted in:

Financial losses due to fare and promotion abuse

Physical safety risks to drivers and riders

Exposure of sensitive location and personal data

Loss of trust and reputational damage

Operational disruption of ride dispatch systems

Challenges Encountered:

During the engagement, the team faced several ride‑hailing‑specific challenges, including:

Highly dynamic pricing logic, requiring precise manipulation without disrupting live services

Real‑time GPS updates and WebSocket communication, complicating traffic analysis and replay testing

Time‑bound ride states (requested, accepted, in‑progress, completed), requiring careful synchronization during exploitation

Multiple user roles (rider, driver, admin) with overlapping APIs, increasing complexity of authorization testing

These challenges were addressed through controlled testing and manual business‑logic analysis.

Recommendations:

Key remediation actions included:

Enforcing server‑side validation for pricing and distance calculations

Implementing strict role‑based access controls for driver and rider actions

Protecting real‑time location APIs with proper authorization checks

Strengthening session management and token handling

Applying rate limiting and monitoring on critical booking endpoints

Value Delivered:

Key remediation actions included:

Enforcing server‑side validation for pricing and distance calculations

Implementing strict role‑based access controls for driver and rider actions

Protecting real‑time location APIs with proper authorization checks

Strengthening session management and token handling

Applying rate limiting and monitoring on critical booking endpoints