I am trying to talk with an API endpoint usually used by a secure app. I have managed to defeat the signature by extraction the private key from the app. All headers, bearer token and device token match. I did this by trial and error, checking the "real" requests, matching mine to it and checking again. I let the app initiate the connection and then use the same bearer token and device-token as the app uses.
I know the signature is correct, because when I use my signing function to "resign" a request made by the app, it gives the same signature. I have looked at the same request my app sends as the original app sends, and they are exactly the same.
However, when I try to do the request via my program, it will tell me the device is invalid (unpaired). There are two things that could still be it:
The app sends a nonce with every request. I used a hash recognizer and it said it a v4 UUID. As far as I can find, those can not be traced back to a device, so that can not be it.
The other thing I found is a weird form data boundary used in requests, which seems to be unique and is formatted as this:
Boundary+B04892CA082BE003
Is there any hash scheme / signature method that uses these kind of boundaries to detect a specific device?
