Reverse Engineering Android Apps - rmalbrecht/VaillantCloud GitHub Wiki

Reverse Engineering Android Apps

Any Android app that makes HTTPS API requests (in this case to the myVAILLANT API), can be reverse engineered with an Android device and a laptop / PC that runs ADB. Both need to be on the same network. Creating a hotspot from the Android device also works.

  1. Run mitmproxy 
    brew install mitm
mitmproxy -p 8080
  2. In your Android WI-FI settings set a manual proxy to the IP of the device running mitmproxy on port 8080.
  3. Add a bypass for identity.vaillant-group.com
  4. Visit mitm.it on your Android device, download the CA cert & install it through the settings app

Host part:

=== "apk-mitm myVAILLANT_3.0.0_APKPure.xapk"

```zsh
brew install android-platform-tools
brew install --cask android-commandlinetools
brew install adb-enhanced
```

Now the client part:

  1. Install ADB on your laptop and connect your Android device to USB in debug mode
  2. Look for the myVaillant APK online and download it
  3. Install & run apk-mitm on the APK. This will take some minutes.

=== "apk-mitm myVAILLANT_3.0.0_APKPure.xapk"

```zsh
➜  apk-mitm myVAILLANT_3.0.0_APKPure.xapk
╭ apk-mitm v1.3.0
├ apktool v2.9.3. 
╰ uber-apk-signer v1.3.0
✔ Checking prerequisities
✔ Decoding APK file
✔ Applying patches
✔ Encoding patched APK file
✔ Signing patched APK file
Done!  Patched file: ././myVAILLANT_3.0.0_APKPure-patched.xapk
```

Then install it:

In my version 3.0.0 the installation failed because of a missing android:resource entry in an XML file. There is an icon missing in the meta-data section, replace the icon-name @NULL with the name from another icon in the file. To do that, start apk-mitm with --wait option, the he stops before recreating the package and you can edit the XML-file.

=== "xapk"

```zsh
unzip ././myVAILLANT_3.0.0_APKPure-patched.xapk
adb install-multiple com.vaillantgroup.enduserapp.vaillant.apk config.arm64_v8a.apk config.mdpi.apk
  Performing Incremental Install
  Serving...
  Success
  Install command complete in 1606 ms    
```

You should see all API calls in mitmproxy's web interface on http://127.0.0.1:8081 now.

Possible Error:

  • If you can't log in with SSO because of a certificate error, make sure you added the exception to the proxy settings.
  • If you can log in, but the app reports an error, the unpinning didn't work.
  • You can try MagiskTrustUserCertson if you have a rooted Android device.

android-proxy

Source: digitalcitizen.life

[^1]: The single-sign on gets handled in your browser, which uses certificate pinning as an added security measure

⚠️ **GitHub.com Fallback** ⚠️