Get Mobile App Source Code Encrypted by IBM MobileFirst
Hey! I’m Roman, CTO at HasData. Sometimes I do mobile apps reverse engineering to access APIs and reproduce queries in Python or NodeJS code. This is necessary to create a data scraper. In one of the recent scraped apps I noticed traces of using IBM MobileFirst.
IBM MobileFirst (or IBM Mobile Foundation) is a platform for developing, optimizing, integrating and managing secure mobile applications.
Disclaimer
I won’t mention here the name of the application.
The IBM site documentation notes that this protection doesn’t provide unbreakable encryption, but provides a basic level of obfuscation.
Application Analysis
Firstly, I tried to intercept traffic between the mobile application and the server using mitmproxy. But I got an error because the application uses SSL pinning.
To disable SSL pinning, I used the Frida utility. Here’s one of the examples Frida’s scripts to bypass SSL pinning - https://codeshare.frida.re/@pcipolloni/universal-android-ssl-pinning-bypass-with-frida/.
I tried to use frida scripts we created for applications we explored before, but nothing worked. This application probably has a custom SSL pinning implementation for which my past practice doesn’t work.
Application Decompilation
For decompiling Android applications I used JADX.
hasdata@MacBook-Pro-hasdata some_app % jadx -d ./source_code ./some_app.apk
INFO - loading ...
INFO - processing ...
ERROR - finished with errors, count: 25
At the output, JADX gave us 2 directories: resources and sources. Let’s take a look inside the source.
hasdata@MacBook-Pro-hasdata some_app % ls -la source_code/sources
total 0
drwxr-xr-x 18 techvice staff 576 Jun 27 15:18 .
drwxr-xr-x 5 techvice staff 160 Jun 27 15:19 ..
drwxr-xr-x 3 techvice staff 96 Jun 27 15:18 a
drwxr-xr-x 4 techvice staff 128 Jun 27 15:18 android
drwxr-xr-x 5 techvice staff 160 Jun 27 15:18 androidx
drwxr-xr-x 3 techvice staff 96 Jun 27 15:18 b
drwxr-xr-x 33 techvice staff 1056 Jun 27 15:18 c
drwxr-xr-x 19 techvice staff 608 Jun 27 15:18 com
drwxr-xr-x 3 techvice staff 96 Jun 27 15:18 cordova
drwxr-xr-x 23 techvice staff 736 Jun 27 15:18 d
drwxr-xr-x 4 techvice staff 128 Jun 27 15:18 de
drwxr-xr-x 3 techvice staff 96 Jun 27 15:18 defpackage
drwxr-xr-x 3 techvice staff 96 Jun 27 15:18 e
drwxr-xr-x 3 techvice staff 96 Jun 27 15:18 im
drwxr-xr-x 3 techvice staff 96 Jun 27 15:18 net
drwxr-xr-x 3 techvice staff 96 Jun 27 15:18 nl
drwxr-xr-x 5 techvice staff 160 Jun 27 15:18 org
drwxr-xr-x 3 techvice staff 96 Jun 27 15:18 uk
In the sources directory of the decompiled application, there is a Cordova directory. Well, we know what we are dealing with now.
Applications built on Cordova are regular web applications that run on the Chromium engine. JS, CSS and HTML files required for the application work located in the `resources/assets/www
` directory. I open this directory and see…
Surprise! Instead of the expected HTML, CSS and JS files, I saw a zip archive split into several parts.
Of course, I tried to unpack it, but, as expected, I got an error that the archiver was unable to do this.
Getting Source Code
Firstly I looked for the encryption key, tried to research how the encryption/decryption algorithm works. A few hours later it struck me…
Previously I said that Cordova applications are regular web applications running on the Chromium engine. But Chromium can’t decompress and decrypt zip archives! So, before the application starts, this archive should be unpacked somewhere.
I launched the app on the Android Emulator. Using SSH I connected to the emulator shell and executed a couple of bash commands like find . -name index.html
. After a few minutes, I managed to find a place on the file system where the encrypted zip archive is unpacked.
This is what the source code looks like.
Final Thoughts
I clicked on index.html, which opened in Chrome browser. Then at the Network tab in Chrome Dev Tools (to open press F12) I found all the requests that the application makes to the server.
Might Be Interesting
Dec 6, 2024
XPath vs CSS Selectors: Pick Your Best Tool
Explore the key differences between CSS selectors and XPath, comparing their advantages, limitations, and use cases. Learn about performance, syntax, flexibility, and how to test and build selectors for web development.
- Basics
- Use Cases
Oct 29, 2024
How to Scrape YouTube Data for Free: A Complete Guide
Learn effective methods for scraping YouTube data, including extracting video details, channel info, playlists, comments, and search results. Explore tools like YouTube Data API, yt-dlp, and Selenium for a step-by-step guide to accessing valuable YouTube insights.
- Python
- Tutorials and guides
- Tools and Libraries
Sep 20, 2024
Easy Way to Get an Up-to-Date List of Retail Clothing Stores
Learn the easiest ways to get an up-to-date list of retail clothing stores, including methods like no-code scraping, using Google Maps, and exploring alternative sources for accurate retail data.
- Use Cases
- E-commerce