Home Other The (un)official HabrApp 2.0:getting access

The (un)official HabrApp 2.0:getting access

by admin

One languid and already a bit annoying evening, I was leafing through official hubra app, for the umpteenth time I got my fingers crossed, one for each bug that didn’t work.Here, for example, you can’t comment, here you’re denied the right to vote, and in general, why can’t you see the formulas on the screen?

The (un)official HabrApp 2.0:getting access
It was decided : we need something handy, nice, our own.What about your own Habr app?Let me give you some screenshots to understand the situation.
The (un)official HabrApp 2.0:getting access It looks something like this this is – off. app habr.com
List of "inconveniences"

  • You cannot rate a publication whose rating is different from 0
  • It is not always possible to write a comment
  • Surveys don’t work
  • Formulas are not visible in dark theme (black on black)
  • Not all bookmarks are available

Yeah, the app hasn’t been updated since last August, but it’s still bad. Anyway, we need to fix it.

Part One. In Search of Access.

Quick query to Google “habrahabr API” gives out a rather outdated repository on the githab which has not been updated since Nov 21, 2016 , and this, for a moment, 2h984a/strong>
Disregarding the fact that this is PHP, scroll down and read :

Getting the application identifier

Using this form on the Habrahabra, you need to briefly describe the essence of the new application and the purpose for which it needs an API.

No problem, if it’s necessary to get access, then it’s necessary. Let’s write a letter (in abbreviated form):

Letter

There is a desire to make a PWA-based application for Habra. There are several reasons for this.

First and most understandable : the Android app does not meet my personal requirements.

Second : not enough native notifications for all sorts of things that usually come in the mail (comments, for example).

Third : personal digests (as a prospect) on people/hubs of interest to me, given my interests.

The answer, of course, was not very nice, but at least it was honest :

Unfortunately, access to our API is currently not available. We plan to resume providing access after we finish fine-tuning the API, but we don’t have any exact dates yet, as we are busy tackling other priorities at the moment.

“Okay, no problem! We’ll figure something out!” – I said to myself, and started looking.

Part Two. Deep Excavations.

Based on logic, if the application works, then it has access to the API and it’s sewn into the application. Let’s analyze.

Since we are dealing with traffic, Wireshark is our choice. Not without agony connecting the phone to the Internet via a desktop computer, we open the application and look at the requests :

The (un)official HabrApp 2.0:getting access
It is clear that nothing is clear
Yes, everything is encrypted and you don’t want to mess with the cryptography. Then you have to look inside the application itself.

By decompiling apk , let’s start looking. What does any API need? Right, endpoint , the place where all the requests go. This is probably the http(s), let’s try to find “https://”:
In the file AuthLinkManager.smali find

field OAUTH:Ljava/lang/String;= "https://habrahabr.ru/auth/o/%s/".field OAUTH_PARAMS:Ljava/lang/String; = "?client_id=%sresponse_type=tokenredirect_uri=%s".field OAUTH_REDIRECT_URL:Ljava/lang/String; = "http://cleverpumpkin.ru"

This is the code for the Android virtual machine ( Dalvik VM ), not very human-understandable, but still quite informative. These three constants, judging by their content and name, as well as the GitHub repository, are used to request an access token by the method GET

Let’s keep looking. The next file to come up in the search is NetworkModule.smali :

const-string v0, "https://habr.com/api/v1/"

And here’s the place to go for inquiries!

The only thing left to figure out for the self-written client to work properly is client_id which is most likely the unique identifier of the application.

However, the search of this text in the sources did not lead to finding relevant information…

But suddenly in one file my eyes caught the interesting lines :

const-string p8, "log-tag"invoke-static {p8, p2}, Landroid/util/Log;-> d(Ljava/lang/String;Ljava/lang/String;)I

This is, as you can understand, a log entry. But a log of what?

Part Three. That’s the way the logs are!

Use adblogcat to view the application logs.

The (un)official HabrApp 2.0:getting access

Unexpectedly, the logs were even more detailed than expected.

There’s not only the one we need client_id but also token user/application as well as login and password in plain text!

Some conspiracy theories The mere presence of login and password in the logs does not do any harm, because these logs can only be read by having either root rights or by connecting via adb But due to the fact that there are android developers among the people reading the Hubr who may have debugging enabled, this becomes a problem.
In that case, “free charging” at the airport could turn into account theft Although who needs it?
From these logs you can derive :

  • client_id and apikey required to access the api ;
  • User authorization URL (strange, but there is nothing about this method in the repository, maybe it is not provided)

That’s how it turned out. On the basis of this tiny study we are already working on a small project – our own implementation of a mobile application. If you want to help, please write to messages, and everyone else – vote (because I want to see if anyone needs it).
Thank you for your consideration!

You may also like