Thoughts for food, part 1: the emulator


The thing about technology is that not only it makes our lives easier, but that we can use it to cheat technology to make our lives even easier. In today’s episode of “Cheating With Michał” I will introduce you to a case of reverse engineering software to get cheaper food online Again, not to provoke arrests from some sort of food police I won’t use real brand names, but the savings were real – and at the time of writing this article the methods described still worked. There are additional checks in place now, but there’s only a few additional steps you need to take.

The introduction

There are two main competing food delivery chains where I live – let’s call them GoodFood and PizzaPeople. I particularly like ordering food from the latter, since they have better customer service and they give discount code from time to time. They’ve started a marketing campaign lately in collaboration with third-party company – let’s call them Disco. Disco has an app for Android and iOS that you can use to get discount codes for a few services – one of which is PizzaPeople. With a code of theirs you can get about 30% off of your order. Good deal, ain’t it?

Of course Disco’s programmers are not stupid and they allow you to only get one discount per device. The thing about me is that I won’t allow any obstacles to stand between me and cheap food. Since they offer an Android app, there’s a good chance it will work on an Android emulator. And with an Android emulator configured properly we can pretend we’re a different device every time we launch the app. Or – better yet – further analyze the traffic and get more info.

Getting discounts the easy way

After launching Disco on two separate devices I was given two separate codes, but even after re-installing the app the codes stayed the same. That means (obviously) that the codes are issued per device, but – given that those devices were using the same IP address – that also means that the device uniqueness is determined by some internal identifiers. What does Android use to identify devices? On every factory init (and after doing a full device wipe) your device is assigned a unique string of 16 alphanumeric characters called Device ID.

I don’t have any Android devices in my household, so I went with an emulator – Bluestacks was my weapon of choice. Though it’s infamous because of being bloated with ads and self-installing apps (which is also a form of advertisement, albeit a poor one), some folks released a nice add-on called BSTweaker, that allows you to patch Bluestacks, remove some of those ads and also change your Device IDs.

Disco developers were not stupid and of course they thought about storing your Device ID in the application cache, but you can clear that either somewhere in Android system settings or just by uninstalling the app.

So what’s the process of basically getting unlimited free discount codes?

  1. Install Bluestacks.
  2. Install Disco from the Google Play store.
  3. Launch the app and get your code.
  4. Uninstall the app.
  5. Run BSTweaker, force quit Bluestacks, patch Bluestacks if that’s your first run, generate a random UUID and apply it to Bluestacks.
  6. Repeat steps 2-5 until you’re no longer hungry or have no money.

Why do you get a new code every time? Because having a unique ID every time essentially makes your device look as a new one. So is the goal achieved? Is this the end? Well, both yes and no. Yes, because you can get whatever amount of discount codes you  want. No, because this process is time consuming if you want to get your codes in bulk. Going through all those points above take about 3-4 minutes if you’re a computer god, will definitely take a lot longer if you’re not sure what you’re doing.

What about reverse engineering? It was fun last time

Of course we could use Fiddler again to analyze the network traffic, but there are a few problems with that. But:

  1. Bluestacks doesn’t let you change your proxy settings
  2. Bluestacks doesn’t let you install SSL certificates to do a man-in-the-middle interception of HTTPS traffic
  3. Developers of apps like this are not stupid and they install measures preventing you from intercepting the traffic
  4. The application code is heavily obfuscated, so it cannot be easily decompiled by any traditional means.

If you’re looking for a good time spent vs. money saved ratio here, then I think you’re best to stick to the emulator route. I’m looking for knowledge and fun, and I like technical challenges – so our detective work will continue in the next blog post. What kind of security measures are implemented in this app? How can we get past them? Will we finally ditch Bluestacks? Will we be able to fiddle with Fiddler? Will it blend? We’ll find out after the break! But beware: it will contain some serious technical voodoo.

Leave a comment

Your email address will not be published. Required fields are marked *

Prev Post Next Post