Reverse engineering crappy IoT apps is a hobby of mine but a lot of them have started to pin certificates so you cannot see what they are doing behind the scenes. I have put this tutorial together to show how to bypass their concerns on Android 😉.
About the Author
The code for that can be found on Github 👇
GitHub - JoshuaMulliken/ha-wyzeapi: Home Assistant Integration for Wyze devices.
This is a custom component to allow control of various Wyze devices in Home Assistant using the unofficial API. Please note this mimics the Wyze app and therefore access may be cut off at anytime.
Feel free to visit my site if you want to connect!
- OWASP Zap
- Rooted Android Phone
Since the app's we are interested in are not debuggable we have to be root
- Install OWASP Zap
brew install owasp-zap
- Install Frida
pip3 install frida-tools
It is available on basically all platforms: https://www.zaproxy.org/download/
Configure your phone to work with OWASP Zap
- Open "Options"
- In "Options" click "Local Proxies" and add a new proxy with a IP address that is accessible from the phone.
- Export the certificate by going to "Dynamic SSL Certificate" and saving the certificate to a path on your machine.
- Add the cert to your Android phone. I used
adb pushand then installed it in settings
- Add the proxy to your network config. Go to "Wi-Fi" → click on the ⚙️ next to your network → click on the ✏️ → Proxy change "None" to "Manual and add the IP address and port that you configured in Step 2
NOTE: Be sure to enable "Behind NAT" if you are using a private IP (you should be)
Setup and Run Frida
- On a rooted Android phone install
frida-serverwith the instructions here: https://frida.re/docs/android/ or use ‣ to install it for you and run it on boot
- Get the app id of the app you are interested in by running:
- Download the unpinning script for Frida here: https://raw.githubusercontent.com/httptoolkit/frida-android-unpinning/main/frida-script.js
- Run and instrument the app with
frida --no-pause -U -l ./frida-script.js -f <YOUR_APP>
- You should see connections from the app start to appear in your OWASP ZAP history window
Congratulations you now have access to the traffic! Now please go out and make a new Home Assistant integration for your favorite IoT crap.
©️ 2021. Mulliken LLC. All rights reserved