Encrypted data in Renpho Health app

Question

Encrypted data in Renpho Health app

Opened this issue 9 months ago · 9 comments

I was sniffing iOS app's requests to pull my data out of it since renpho doesn't provide a public api. However, it appears to be fucking encrypted now - both request and response payloads. I decompiled an .apk file and looked through some Java code. There is a ton of files and folders in there for such an unspectacular app. Unfortunately, some parts failed to decompile, but the main action appears to be going in an AESUtil.java file. I couldn't figure out what the encyption key was since there are a whole lot of files that show up on a "decrypt" search.

I wish I was an expert in encyption and Java. Is there anyone who managed to decrypt this shit?

Answer 1 · 2024-03-27T07:55:15.000Z

I haven't had a look yet but you make this sound interesting. When I initially looked into this the main issues were using a mitm attack on ssl traffic and decompilation - the decompiled source was not easy to read or find anything. If you haven't already, I wrote a blog on this a while ago here

Answer 2 · 2024-03-27T13:16:07.000Z

You can look at my fork. I saw the data is encrypted for every request. I look at the apk and the decompilation code. One way doing it could be to add debug mode to the signed apk to print the data before request and after find the correct encryption. @StashOfCode if you want to talk or email we can find a way to make it works

antoinebou12#7

Answer 3 · 2024-03-27T21:05:31.000Z

@neilzilla, yeah, that's basically how I found your repo :) Nice write up.

I used Proxyman for request sniffing and Jadx for decompiling. The code produced is very readable except for a few files.

Unfortunatelty, I can't use the older app since it doesn't support new devices

Answer 4 · 2024-03-27T21:14:00.000Z

@antoinebou12, So far I've tried the folllowing things:

I traced the decompiled .apk code to find a place where encyption key is loaded or created. I found a few hardcoded AES-128 keys (check out a DAUL_ENCRYPTION variable in RetrofitUtils.java), but they failed to decrypt traffic. Also, I found this line of code AESUtil.setcKey(AlgorithmJni.getRenphoPassword()); which is one of the places where the encyption key is set. Searching for getRenphoPassword leads to a class where this method is not really defined - public static native String getRenphoPassword();. Perhaps, that's because jadx failed to decompile some code in other files. I wanted to test that an encyption key was indeed a derivative of the account password. I then changed the password, but most request payloads still stayed the same. I'm still eyeballing code to understand what's going on - It's quite convoluted for a non-Java dev. My main problem is that I'm not sure which of the many encryption-related functions is used for cloud.renpho.com traffic.
I dumped iOS data and looked through Renpho .sqlite dbs. I didn't find encryption keys there. It does store token and userid, however, used in request headers. Also, according to createAllTables in AppDataBase_Impl.java, there should've been an encryptedPassword column in a User table, but it doesn't exist in my iOS dump of the db.
I'm looking into dynamic analysis using Frida and Waydroid. I found this brilliant article https://frdmtoplay.com/freeing-glucose-data-from-the-freestyle-libre-3/ that briefly explains how to do it.
I'm currently stuck at installing a VNC server on my linux VPS 🥲

What do you think about the Frida + Waidroid approach?

Answer 5 · 2024-03-27T23:00:06.000Z

I have a rooted device emulator with http with https traffic. I didn't found the .sqlite db with the encryption code. I have multiple server if you want to play with it your approach. My found thati can set the apk into debug mode and resign the apk to make sure so i can debug. I saw the RetrofitUtils.java and i don't understand the code. I tried Frida with Waydroid in the future. Thanks @StashOfCode !

https://samsclass.info/128/proj/M142.htm

Answer 6 · 2024-03-28T13:53:19.000Z

@StashOfCode Frida and Waydroid look super interesting, there's a lot to think about there - very interesting post!

Correct me if I'm wrong but that post mainly talks about decrypting the local database? This is something I'd not considered but in developing this plugin I'm not sure how useful it is.

I definitely want to have a look at picking apart this new app however, I'll see if I can make some time this weekend.

@antoinebou12 if I can pull apart the new api could you incorporate this into the addon?

Answer 7 · 2024-03-29T04:58:20.000Z

@antoinebou12, do you have an arm64 server with ubuntu 20-22 on it? I managed to configure a rented vps and install Waydroid, but I failed at the apk installation step - turns out the vps was running on x86 while the app requires arm lol

Answer 8 · 2024-03-29T05:03:41.000Z

@neilzilla, right! The goal in that post was to decrypt the db. I believe we can use the same general approach & tools to figure out how Renpho encrypts requests

Answer 9 · 2024-04-24T21:48:59.000Z

@antoinebou12, do you have an arm64 server with ubuntu 20-22 on it? I managed to configure a rented vps and install Waydroid, but I failed at the apk installation step - turns out the vps was running on x86 while the app requires arm lol

Email me at antoine@antoineboucher.info. I can give you a free vm