Geekly Articles each Day
📜 ⬆️ ⬇️

(Not) the official application Habr - HabrApp 2.0: gaining access

One languid and already rather annoying in the evening, I, leafing through the official application of the habr, once again bent my fingers, one for each inactive feature. Here, for example, it is impossible to comment, it is denied the right to vote, and in general, why not see the formulas on the screen?



It was decided: you need something comfortable, pleasant, your own. What about your application for Habr?
Let's give you a few screenshots to understand the situation.

Somehow it looks like this - of. habr.com application

List of "inconveniences"
  • You cannot rate a publication that has a rating other than 0.
  • You can not always write a comment
  • Polls don't work
  • In the dark theme can not see the formulas (black on black)
  • Not all bookmarks are available.

Yes, the application has not been updated since last August, but still bad. In general, it is necessary to correct.
')

Part one. In search of access.


A quick request to Google “habrahabr API” has already issued an orderly outdated repository on the githaba, which has not been updated since November 21, 2016 , and this is, for a minute, two and a half years .

Ignoring the fact that this is PHP, scroll down and read:


Getting application ID



Using this form on Habrahabr, you need to briefly describe the essence of the new application and the purpose for which it needs an API.


No question, if you need to gain access, then it is necessary. Writing a letter (in abbreviation):


Letter

There is a desire to make an application for Habr based on PWA. There are several reasons for this.


The first and most understandable: the Android application does not satisfy my personal requirements.


Second: there are not enough native notifications about all sorts of things that usually arrive in the mail (comments, for example).


Third: personal digests (as a perspective) on people / hubs that interest me, taking into account my interests.


The answer, of course, was not very pleasant, but at least honest:


Unfortunately, access to our API is currently not available. We plan to resume granting access after we finish finalizing the API, but we don’t have any exact dates yet, because At the moment we are busy with other priorities.


“Okay, never mind! We'll think of something! ”- I said to myself, and began to search.


Part two. Deep excavations.


Based on the logic, if the application works, then it has access to the API, and it is sewn into the application. Let's analyze.


Since we are dealing with traffic, Wireshark is our choice. Not without torment, by connecting the phone to the Internet via a desktop computer, open the application and look at the requests:


It is clear that nothing is clear

Yes, everything is encrypted, but I do not want to mess with cryptography. Then you have to look inside the application itself.

Decompiling .apk , we begin to search. What does any API need? That's right, endpoint , a place where all requests go. This is probably http (s), try to find "https: //":

In the AuthLinkManager.smali file we find


 .field OAUTH:Ljava/lang/String; = "https://habrahabr.ru/auth/o/%s/" .field OAUTH_PARAMS:Ljava/lang/String; = "?client_id=%s&response_type=token&redirect_uri=%s" .field OAUTH_REDIRECT_URL:Ljava/lang/String; = "http://cleverpumpkin.ru"

This is the code for the Android virtual machine ( Dalvik VM ), which is not very comprehensible to humans, but still quite informative. These three constants, judging by their content and name, as well as the GitHub repository, are used to query the access token using the GET method.


We look further. Next in the search comes across the NetworkModule.smali file:


 const-string v0, "https://habr.com/api/v1/"

And here is the place to turn requests!


For normal operation of the samopny client, it remains to find out only one thing - client_id , which most likely is the unique identifier of the application.


However, the search for this text in the source to find relevant information did not lead ...


But suddenly in one file the eyes caught on interesting lines:


 const-string p8, "log-tag" invoke-static {p8, p2}, Landroid/util/Log;->d(Ljava/lang/String;Ljava/lang/String;)I

This, as you can understand, the entry in the log. But a record of what?


Part Three So logs!


Use adb logcat to view application logs.



Suddenly, the logs turned out to be even more detailed than expected.


There is not only the client_id we client_id , but also the user / application token , as well as the login and password in clear text!


Few conspiracy theories
By itself, the presence of the login and password logs does not harm anything, since these logs can be read only if you have either root-rights or a connection via adb . But due to the fact that among the people reading Habr, there are developers on android that can have debugging turned on, this becomes a problem.

In this case, “free charging” at the airport can result in hijacking your account , although who needs it?

From these logs you can make:


And so it happened. On the basis of this tiny research, work is already underway on a small project - a private implementation of a mobile application. Those wishing to help, please write to the messages, and all the others - to vote (for I want to understand whether someone needs this).

Thanks for attention!

Source: https://habr.com/ru/post/447148/

More articles:


All Articles