How to refresh keys?
tjpatter opened this issue · 5 comments
"Updated with new client IDs and JWT signing key" <-- How did you derive these? Open to chatting offline as well, but really want to understand where these come from and how to refresh them should the need arise. Love this project!
Hey there. The Client ID and the JWT signing key are extracted from the Android APK. Roughly speaking, the steps I performed:
- Decompile the APK
- Inject Smali code to disable certificate pinning
- Inejct Smali code to dump the JWT signing key to logger during the JWT signing process
- Rebuild the APK and deploy it to a device
- Use Burp Suite to perform SSL man-in-the-middling, to capture API calls + client ID, while monitoring logs to observe the JWT signing key.
You could skip burp suite and tampering with cert pinning and stick to dumping the variables to logger if you do not care about observing the API endpoints. I struggled to find the client ID var in the Smali bytecode, so I found it easier to pull that specific value out of the POST requests to the API.
Periodically, older Client IDs are blacklisted. Along with the new client IDs in the new app APKs, it seems that the JWT signing key is refreshed as well. Blacklisting older Client IDs also breaks the Android app on any devices which may not support the newer version. It is done very rarely. I've only seen it happen once so far. This has significant customer impact, and only gets worse over time, so I'd expect it to remain very rare.
Good luck!
Much of this should be automatable to some extent, and the fact you have to do so manually, then multiple people look to your repo to find the new keys doesn't scale well.
Any chance you know of a good write up as to how to do all of what you describe? While I'm alright at decompiling APKs and reading for some of the answers I am looking for, I've no experience on the building side of Android apps, though have done much of what you describe on other platforms.
I don't disagree at all, but unfortunately I cannot dedicate the time towards automating this. It could be done but it's a non-trivial amount of work. The instructions I provided earlier summarize the steps needed. Anything more specific than that would be prone to failure if automated as things will change between builds.
I misspoke perhaps, I was not aiming for you to automate this, given I use these values too I was planning to do so with such instructions. I'll see about some deep diving into building/modifying android apps.
I've managed to decompile the APK, make a minor change, rebuild, sign & deploy working on my end... and it still works.
Any pointers you could provide would be welcome wrt cert pinning & adding logging. Neither Java, Smali or Android development in general are my forte.
This area smells right:
however my first attempt at changes (not featured here) didn't do it.
Now to keep looking for more...