lucia/luciaa.at
2
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity

Updated the spar app jokers blog entry

Browse source
This commit is contained in:
Lucia Zehentner 2025-04-27 20:32:35 +02:00
parent c3c1ffea20
commit 65a87ddcd4
19 changed files with 86 additions and 30 deletions
Download patch file Download diff file Expand all files Collapse all files

2
assets/entry_data/spar_app_jokers.json
View file

@ -2,6 +2,6 @@
"href": "spar_app_jokers.html",
"date": "2025-04-04",
"author": "Lucia Zehentner",
"tags": ["android", "app", "exploit", "shopping", "SPAR"],
"tags": ["android", "app", "exploit", "shopping", "SPAR", "supermarkets"],
"content_warnings": []
}

12
assets/entry_data/spar_app_jokers.md
View file

@ -1,6 +1,6 @@
# How to get an infinite amount SPAR Jokers
Austian retailer SPAR has released an relatively privacy-friendly discount app back in 2023. The user of the respective app can get so called -25% Jokers. Those jokers however are limited to 4 items and take some time to become available again, similar to their analoge counterpart. However due to the afformentioned privacy-friendliness of this particular app, unlike many other shopping apps it doesn't need an account to verify that the jokers are only used once by a customer within a certain timeframe. This is due to the information, whether one or multiple jokers have been used does appere to only be stored only locally on your phone. This fact makes the exploit explained in the following chapters possible as of April 2025.
Austian retailer SPAR has released an relatively privacy-friendly discount app back in 2023. The user of the respective app can get so called -25% Jokers. Those jokers however are limited to 4 items and take some time to become available again, similar to their analoge counterpart. However due to the afformentioned privacy-friendliness of this particular app, unlike many other shopping apps it doesn't need an account to verify that the jokers are only used once by a customer within a certain timeframe. This is due to the information, whether one or multiple jokers have been used does appear to only be stored only locally on your phone. This fact makes the exploit explained in the following chapters possible as of April 2025. You should not log into the app after reseting as this may bar you from restoring your jokers.
## Things to consider
@ -14,7 +14,7 @@ The following writeup has been tested to on Android 13, 14 and 15, with the part
<div class="three-gallery">
<figure>
<img alt="A screenshot of the SPAR app. On the top 'Meine Ersparnis 2025: € 61,15' is visible. Also 0 Jokers are available." src="assets/img/blog/spar_app_jokers/step_0.png">
<img alt="A screenshot of the SPAR app. On the top 'Meine Ersparnis 2025: € 61,15' is visible. Also 0 jokers are available." src="assets/img/blog/spar_app_jokers/step_0.png">
<figcaption>Step 0</figcaption>
</figure>
<figure>
@ -27,7 +27,7 @@ The following writeup has been tested to on Android 13, 14 and 15, with the part
</figure>
</div>
0. Before starting we have no Jokers left. This is very sad, of course and we should seek a remedy for this.
0. Before starting we have no jokers left. This is very sad, of course and we should seek a remedy for this.
1. Locate the Spar app on your home screen or within your app drawer
2. Long-press the app icon until a context menu pops up
3. Within this context menu, select the option "App info"
@ -53,7 +53,7 @@ The following writeup has been tested to on Android 13, 14 and 15, with the part
<div class="three-gallery">
<figure>
<img alt="A screenshot of the SPAR app. On the top 'Meine Ersparnis 2025: € 0,-' is visible. There are four Jokers are available." src="assets/img/blog/spar_app_jokers/step_7_8.png">
<img alt="A screenshot of the SPAR app. On the top 'Meine Ersparnis 2025: € 0,-' is visible. There are four jokers are available." src="assets/img/blog/spar_app_jokers/step_7_8.png">
<figcaption>Step 7 (not pictured) and 8</figcaption>
</figure>
</div>
@ -67,6 +67,10 @@ Alternatively you also could uninstall and reinstall the app every time, however
I'll try to soon get around asking people who use iOS to test this exploit themselves, so I can verify the validity of this exploit on iOS devices. A writeup on performing this exploit on iOS is found [here](/blog/spar_app_jokers_ios), if it's already available by the time you read this. I'm also planing to take a closer look at how the data of the app is stored, this might be useful to e.g. mass export digital reciepts or to keep configurations, while reseting the jokers and customer ID.
## Update 2025-04-27
I initially forgot to mention that jokers only reset when not logged in. Thanks Aurelia for bringing this to my attention.
<div id="footnotes">
¹ I'm not setting up a MacOS VM in order to be able to do some xcode shenanigans, sorry.
</div>