Skip to content


Switch branches/tags

Name already in use

A tag already exists with the provided branch name. Many Git commands accept both tag and branch names, so creating this branch may cause unexpected behavior. Are you sure you want to create this branch?

Latest commit


Git stats


Failed to load latest commit information.
Latest commit message
Commit time


this is a project i did for my cs308s computer security course at university of texas. the goal was to explore the security of the square credit card reader. i believe the project was a success because i found a few different attack vectors, one of which seemed particularly relevant. the attack vectors and implementation details are available in the report.


as far as i can tell, there's nothing stopping another app from listening to a credit card swipe in the background. that means you could process a payment in the square app, and a malicious app could be skimming your credit card number in the background with no visible indication.

is it possible for this to happen in the wild? certainly. likely? probably not. the important thing is that it doesn't look like there are easy means of preventing the exploit. it would be extremely difficult to produce an unpowered encrypted card reader, so square would have to hope for an update to the ios api.

project details


the biggest shortcoming of the project is that i did not have an apple developer account, so all of my results are based on the ios simulator. i would love to hear about others' experiences reproducing these results on actual hardware.

another significant shortcoming of the project is the error handling. like most school projects, the focus was not on writing robust software, so ymmv with the analog-to-digital conversion code.

running the implementation

the project has several non-insignificant requirements:

  • xcode 4
  • python 2.7 (though 2.6 may work…)
  • scipy
  • a square credit card reader (free from the website)
  • an audio adapter if, like me, you're too cheap to get the apple developer account

once your system has the pre-requisites, you can decode card numbers yourself by connecting the card reader to your laptop via the adapter, firing up the server from the project directory by running:

$ ./

and then compiling and running the 'Crooked' ios app in xcode. it's pretty rough, but if you start recording, swipe the card, and then stop recording, it sends the audio to the server, and recieves and displays the decoded number.

the report title

the report title is a nod to some fascinating work by Hovav Shacham, which gets its title from a bob dylan tune.


investigating the security of the square credit card reader






No releases published


No packages published