Search code examples
encryptionhashrsasha256

Determine the encryption algorithm of Post request from mobile application to API

I'm trying to understand how does a mobile application encrypt the password when I submit a POST request from mobile application to API so that I can make a python code that can use the same algorithm to a send a encrypted password to the API same as the mobile app.

I tired to catch a private API of an mobile App, I got the request where the application send the request, but what is funny here is the application is encrypting the password before it send it via POST request to API this is how the password looks in the request:

password=GmdKoBhIne4g3KR8JeR/Cg==

the mobile app is encoding the password that I already know the password when it sent a request to API, but what I want is to catch the way this mobile application is encrypting the password, the encryption type is not Base64 (for sure lol), I tired to sent a request to API without the encryption, and I got an error. which means the API is decrypting the password.

So I tired to decompiled the mobile app, and I got the source code, it was trouble, the code source was complex and with random functions names which made it very hard to read lol, variables are randomly generated after I decompiled the apk.

enter image description here

So I tired to search in the code source for keywords like ( password, API.....), and finally I got a line where I can to start, I'm trying to catch how does the mobile application convert a password string to an unknown encryption type, before 2 days I decompiled an APK file but the encryption is still hard to catch :( I found this:

enter image description here

and the function returns :

if (str21 != null) {
        i = str21.hashCode();
    }
return hashCode23 + i;

but still can't understand nothing from the encryption algorithm :(

I was searching on the code source and I found two files CERT.SF & CERT.RSA I don't know but I feel that those two files can help me, the CERT.SF file include many SHA-256-Digests and the RSA I can't read it.

I tired to test alphabets in the form where I post the request on the app, for example : I though that I can catch letters like (A, B, C..... 1,2,3....) but when I post A, I received on Burp-suite that the password is generated again to a random string like before so nothing changed

If someone with a cryptography can help me to solve this may be Amazing <3

Thanks.

Solution

  • So, thanks of some Chinese articles that help me to figure out this.

    the mobile application was Obfuscated, but thanks god I found some traces of that the app was using AES/CBC/PKCS5Padding, so I jumped up and I rooted my device and I bypass SSL panning and I installed the friendly Frida server on my device shell, and I got the PID of the mobile application, I found many scripts that help to detect secret keys on the mobile but no script was working. So I tired to understand how does Frida can detect the secret keys, and I coded a custom python script that scraps keys from the mobile app. for the custom python script I can't share because It includes the mobile app functions that I'm pretesting on it. but I can help with some sources to understand how does Frida can bypass the cipher algorithm

    Frida : https://github.com/frida/frida

    Exploit code : https://github.com/Kc57/blog_post_code/tree/master/frida-python-bindings-example