From: Joann Mõndresku Date: Sun, 12 May 2024 18:55:14 +0000 (+0300) Subject: Protobuf API post: Added CA instructions and webserver config X-Git-Url: https://git.based.quest/%7B%7B%20%24url%20%7C%20absURL%20%7D%7D?a=commitdiff_plain;h=be8f6a91907eb969d51250c62dfd9c865419a645;p=web-hugo.git Protobuf API post: Added CA instructions and webserver config --- diff --git a/content/posts/reverse-engineering-a-mobile-app-protobuf-api.md b/content/posts/reverse-engineering-a-mobile-app-protobuf-api.md index 5c94bd1..ce06d43 100644 --- a/content/posts/reverse-engineering-a-mobile-app-protobuf-api.md +++ b/content/posts/reverse-engineering-a-mobile-app-protobuf-api.md @@ -95,6 +95,8 @@ When I jumped to it, I saw an exactly adjacent string to it which could give mor Interesting, `www.auxbrain.com`. If we jump to its XREF, we get a garbled function, but what it seems to be doing is setting up certain global values. +## The smoke-test + So we have a potential API endpoint, let's put it to the test. We're not going to recompile anything yet or do any byte-patching, let's try a quick smoke-test. Ensure your phone is rooted and you have a variant of Xposed Framework installed (I used LSPosed). We will need to unarm the SSL pinning present in most apps, including this one, I used [io.github.tehcneko.sslunpinning](https://github.com/Xposed-Modules-Repo/io.github.tehcneko.sslunpinning) module. @@ -104,7 +106,40 @@ Next, install [AdAway app from F-Droid](https://f-droid.org/packages/org.adaway/ Inside AdAway, add a redirection rule for the address we just found and point it to an IP address in your LAN that will run the API server. Generate a self-signed certificate authority and a certificate signed by it and run a webserver with both HTTP and HTTPS on the API server machine. -Import the self-signed CA to your phone's truststore. Once all of that is done, run the app for first time. +``` +# Create an ext file containing the Subject Alternative Name (SAN) +# DNS.1 should correspond to the API endpoint of the app (more info near end of article if you plan on changing) +cat > auxbrain.ext << EOF +authorityKeyIdentifier=keyid,issuer +basicConstraints=CA:FALSE +keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment +subjectAltName = @alt_names + +[alt_names] +DNS.1 = www.auxbrain.com +EOF + +# Create your own Certificate Authority +openssl genrsa -des3 -out myCA.key 2048 +openssl req -x509 -new -nodes -key myCA.key -sha256 -days 1825 -out myCA.pem +# Create a CSR and lets have the new CA sign it +openssl req -new -key auxbrain.key -out auxbrain.csr -nodes +openssl x509 -req -in auxbrain.csr -CA myCA.pem -CAkey myCA.key -CAcreateserial -out auxbrain.crt -days 825 -sha256 -extfile auxbrain.ext +# You now have myCA.pem - the public certificate of your root CA, auxbrain.key - the private key for your webserver, auxbrain.pem - the public cert for your webserver. +``` + +Use the generated `auxbrain.pem` and `auxbrain.key` files for your webserver SSL/TLS configuration. For nginx, append following values to your server directive: +``` +listen 443 ssl; +ssl_certificate /path/to/auxbrain.pem; +ssl_certificate_key /path/to/auxbrain.key; +ssl_session_cache shared:SSL:1m; +ssl_session_timeout 5m; +ssl_ciphers HIGH:!aNULL:!MD5; +ssl_prefer_server_ciphers on; +``` + +Import the self-signed CA (myCA.pem) to your phone's truststore (Check under your phone's Security/Encryption settings). Once all of that is done, run the app for first time. ``` 192.168.1.212 - - [...] "POST /ei/first_contact HTTP/1.1" 404 0 "-"