|
|
|
|
|
|
by pencilo
4571 days ago
|
|
|
You're slightly wrong on the app side of things and the keys. There are in fact two 'secret' keys. One is a fixed SHA256 hash used for their weird request generation and one is the fixed AES-128 key for encrypting snaps. The two have nothing to do with each other besides both being named secret. Also it was not ctrl+f for secret as much as it is looking at the call sites for calls down into crypto libraries, from there it is simple back tracing to see where the keys came from. Debug symbols are nice but it works just as well if they strip debug symbols and obfuscate. |
|
|
You're right about the keys though, I always forget which keys get used for what.