Imitation of banking app
Displays fake connection problems to entice the thief to keep trying
Login Screen for the companion app
A picture secretly taken of the thief from the phones selfie camera when the thief pressed the login button
Companion app showing the map of location history of a stolen device
We think improving cybersecurity does not always entail passively anticipating possible attacks. It is an equally valid strategy to go on the offensive against the transgressors. Hence, we employed the strategy of the aggressors against themselves --- by making what's basically a phishing bank app that allows us to gather information about potentially stolen phones.
What it does
Our main app, Bait Master, is a cloud application linked to Firebase. Once the user finishes the initial setup, the app will disguise itself as a banking application with fairly convincing UI/UX with fake bank account information. Should the phone be ever stolen or password-cracked, the aggressor will likely be tempted to take a look at the obvious bank information. When they open the app, they fall for the phishing bait. The app will discreetly take several pictures of the aggressor's face from the front camera, as well as uploading location/time information periodically in the background to Firebase. The user can then check these information (also please contact local police) by logging in to our companion app, Bait Master Tracker, where we use Google Cloud services such as Map API to display the said information.
How we built it
Both the main app and the companion app are developed in native Android using Android Studio. We used Google's Firebase to store user information, pictures, and location data. For our companion app, we also used Firebase and Google Cloud services to retrieve and display the information.
Challenges we ran into
1) The camera2 library of Android is incredibly difficult to use. Taking a picture is one thing --- but taking one discreetly without using the native camera intent and to save it took us a long time to figure out. Even now, the front camera configuration sometimes fails in older phones --- we are still trying to figure that out. 2) The original idea was to use Twilio to send SMS messages to the back-up phone number of the owner of the stolen phone. However, we could not find an easy way to implement Twilio in Android Studio without hosting another server, which we think will hinder maintainability. We eventually decided to opt out of this idea.
Accomplishments that we're proud of
I think we really pushed the boundary of our Android dev abilities by using features of Android that we did not even know existed. For instance, the main Bait Master app is capable of morphing its own launcher to acquire a new icon as well as app name to disguise itself as a banking app. Furthermore, discreetly taking pictures without any form of notification and uploading them is very technically challenging, but we pulled it off nonetheless. We are really proud of the product that we built at the end of this weekend.
What we learned
Appearances can be misleading. Don't trust everything that you see. Be careful when apps ask for access permission that it shouldn't use (such as camera and location).
What's next for Bait Master
We want to add more system-level mobile device management feature such as remote password reset, wiping sensitive data, etc. We also want to make the app more accessible by adding more disguise variance options, as well as improving our client support by making the app more easy to understand.