[mjg59]

First up: this isn't criticism of the original post in the slightest, it's a wonderful journey through figuring out how a weird device that wants to be on your wifi works.

If you have a device that speaks to an Android app, you want https://github.com/niklashigi/apk-mitm - it'll strip pretty much every known certificate pinning implementation from an apk, and it'll also rewrite the manifest so it'll trust the user-installed certs without having to root your device to modify the system store. Uninstall the original app, sideload the output of apk-mitm, and then you can use mitmproxy on a stock device.

The other thing is that if a device is providing encrypted data to an app, and the app is displaying the decrypted data, then the app inherently either contains the decryption key somewhere or downloads it from somewhere. https://github.com/skylot/jadx will turn an apk into something that approximates Java, and digging through that will often let you figure out what the key is. But some vendors will decide that the appropriate way to handle this is to kick the cryptography out to native code, at which point you're into having to RE something in Ghidra. Depending on your mindset this is either incredibly tedious or incredibly fun, but it's generally possible.

The author was able to build on top of work that had been done by others, but if you're ever faced with a situation where nobody else has done that work, don't just give up. It's worth spending time trying to figure out how code running on a device you own works, and even if you don't succeed in the end you're probably going to learn a lot in the process.

[Neywiny]

Even if it's not for a device. I have an app that like most apps only gets worse every update. I stopped all auto updates, backdated, all good. Eventually it stopped being able to connect to the servers. I heard about cert pinning, saw this repo, and tried it. Flawless victory.

And because its ad URLs are out of date or something, I see no ads. Which I don't feel bad about because again, all their development effort was in turning something working into something not working.

[timedout_uk]

"The author was able to build on top of work that had been done by others, but if you're ever faced with a situation where nobody else has done that work, don't just give up." If I couldn't strike lucky with an xor brute force, my next plan of attack was to start poking at whatever android app they had. It was only because my friend happened to find that someone else had already done it on github that I managed to take the shortcut. If we hadn't found that github I'd probably have a far more detailed writeup so that other people could follow on with their own appliance, if they happen to have the same/a similar one.

[tracker1]

+1 on this... I was actually surprised this wasn't one of the earlier efforts, as to me it would have been one of the first things I tried. Given the webview aspects of the app, I wouldn't be surprised if it was using something webcrypto was capable of int he app ui, with the key relatively obvious to yank out.

I'm a big fan of using web rendering for UI apps, but most devs are less interested in how to implement real security. Or add theatrical additions that just don't work with reality.

[f4ye]

not to overshadow apk-mitm, but i find PCAPdroid and its MITM plugin (which uses mitmproxy under the hood!) to be convenient, if you want to look at things on the device.