0

I'm pentesting an android application written in Cordova and while inspecting the network traffic I found some interesting endpoint that I would like to test. However, this endpoint need a tokenID (ex. eyJ[...].eyJ[...]) and I don't know why, even after doing SSL unpinning (with more than one Frida script), I'm unable to intercept the request that is used to generate the token.

After some static analysis, I realized that the token is being requested by com.android.gms (Google Mobile Service).

I managed to find the gcm_defaultSenderId, google_api_key and google_app_id. However, since the apk is obfuscated, I didn't manage to discover how to craft the request.

Do any of you know if there is a way to craft gms tokens using a script?

D.Rek
  • 101
  • 2
  • 2
    The app must be using Google's Firebase API. You have to intercept communication of Google Play Services with Google as well. – defalt Sep 21 '21 at 09:50
  • Thanks for your feedback @defalt. This must be it, because the application does use FIrebase. Any guess on how to SSL unpin Google Play Services with frida? – D.Rek Sep 25 '21 at 08:05
  • Root the device and use SSLUnpinning 2.0 xposed framework module. – defalt Sep 25 '21 at 13:18

0 Answers0