Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

I pulled the keys out of the android client this weekend. Not as good of a write up, but I used apktool to convert the APK back to xml resource files and smali dalvik assembler. Greped for Hmac and added some logging. Did the same thing for oauth_consumer_key. Rebuilt it as an APK with apktool. Signed it with jarsigner. Watched the logs and logged in. I think the best part is this key can use xauth so other clients can have the nicer UX of the official client.

    invoke-virtual {v0, v1}, Ljava/lang/StringBuilder;->append(Ljava/lang/String;)Ljava/lang/StringBuilder;

    move-result-object v0

    invoke-virtual {v0}, Ljava/lang/StringBuilder;->toString()Ljava/lang/String;

    move-result-object v0

    // Added logging
    const-string v1, "PrivateKey"
    invoke-static {v1, v0}, Landroid/util/Log;->d(Ljava/lang/String;Ljava/lang/String;)I

    const-string v1, "UTF8"

    invoke-virtual {v0, v1}, Ljava/lang/String;->getBytes(Ljava/lang/String;)[B

    move-result-object v0

    new-instance v1, Ljavax/crypto/spec/SecretKeySpec;

    const-string v2, "HmacSHA1"

    invoke-direct {v1, v0, v2}, Ljavax/crypto/spec/SecretKeySpec;-><init>([BLjava/lang/String;)V


  D/PrivateKey(18590): XXXXXX
  D/Auth Header(18590): OAuth realm="http://api.twitter.com/", oauth_version="1.0", oauth_nonce="2404904914329321765488437936138011", oauth_timestamp="1345512606", oauth_signature="gEvQOcGWO7aPCYTemRy%2BkYH3oFM%3D", oauth_consumer_key="3nVuSoBZnx6U4vzUxf5w", oauth_signature_method="HMAC-SHA1"


are you intentionally neglecting the additional steps to make this work, or did you not test your assumptions against the requests that the app actually sends? ;)


I tested this on the with the twitter api. This key was already leaked in 2010 at https://github.com/mitsuhiko/logbook/blob/master/twitter-sec.... So I will just post it here. https://twitter.com/armooo/status/237729837157060609 take a look at the name of the client.

    >>> key = 'Bcs59EFbbsdF6Sl9Ng71smgStWEGwXXKSjYvPVt7qys'
    >>> oauth_consumer_key = '3nVuSoBZnx6U4vzUxf5w'
    >>> import tweepy
    >>> auth = tweepy.OAuthHandler(oauth_consumer_key, key)
    >>> auth.get_xauth_access_token('armooo', <password>)
    <tweepy.oauth.OAuthToken object at 0x110985810>
    >>> api = tweepy.API(auth)
    >>> api.update_status('This is an update %s:%s' % (oauth_consumer_key, key))
    <tweepy.models.Status object at 0x110985c90>


ah, yes, you're right, was thinking of another api endpoint.


well, jellybean has app encryption http://developer.android.com/about/versions/jelly-bean.html#...


Reading this http://nelenkov.blogspot.com/2012/07/using-app-encryption-in... it looks like if you have root on your phone you can still access the APKs. Sounds like it is using the same encryption system as the apps on SD. But have have not had a chance to look at it.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: