Skip to main content

Checking Suspicious Links in Corellium

Imagine being on vacation and receiving this SMS shortly before your flight home:

suspicious sms

But you didn’t check in online… You’re not flying Southwest… And what’s up with that URL? We can inspect the link using Android or a jailbroken iOS device, along with some of Corellium's built-in tools.

We’ll start by using the built-in Network Monitor. Using a virtual device with a proxy, such as Burp or Charles, will be covered in a later post.

You will need a virtual device. If you haven't already, check out our Quickstart for Android article.

Part 1: Start the Network Monitor

Before loading the browser, make sure you enable the Network Monitor to capture the traffic.

  • Click “Network” to the right of your virtual device.
  • Click “Start Monitoring.”

Captured HTTP and HTTPS traffic will appear in the Overview panel next to the device. Click on any of the captured packets to view more information, including the request and the response.

Part 2: Load the Suspicious URL

  • Open the browser, type in the suspicious URL and hit enter.
  • The URL sends you to accounts.google.com, what’s going on?
  • Let’s use the Network Monitor to investigate!

Load the link

Part 3: Review Captured Packets

The Network Monitor captures two packets when loading the URL. (Note: starting the browser resulted in the Monitor capturing a handful of packets before we entered our URL. We cleared the log first to create the screenshot below.)

Network monitor list

Entry #1 looks pretty interesting! Click on the packet to view the request.

packet details

The request goes to “wallet-api.urbanairship.com” and takes us to a Google sign-in page. The response includes “pay.google.com”, which belongs to Google’s digital wallet platform.

request payload

If we Google “wallet-api.urbanairship.com”, we find a link to Airship's Wallet API. There’s also a Reddit post stating Southwest Airlines uses a third party to deliver mobile boarding passes. And Airship confirmed on Twitter that the “airsp.co” link is legitimate.

google search

If we load the URL on a jailbroken iOS device (just to compare), Safari says it “cannot download this file.” Here’s the response:

on jailbroken device

If we Google “vnd.apple.pkpass”, we find a link to Apple’s Wallet Developer Guide.

All these different breadcrumbs point to the SMS and link containing a legitimate Southwest boarding pass… It’s not ours, but probably the result of someone mistyping their phone number. At least it wasn’t something nefarious!

Note about Virtual iOS Devices

Certain applications, including Apple Wallet, aren’t supported on our virtual iOS devices. This is why Safari could not “download this file.” On a physical iOS device, clicking the link causes Apple Wallet to load the boarding pass.