One languid and already rather boring evening, I, leafing through official application habr, once again bent his fingers, one for each non-working feature. Here, for example, it is impossible to comment, here the right to vote is denied, and in general, why are the formulas not visible on the screen?
It was decided: we need something comfortable, pleasant, our own. What about your application for Habr?
Let's take a few screenshots to understand the situation.
Somehow it looks like this it - of. habr.com application
List of "inconveniences"
- Can't rate a post with a rating other than 0
- It is not always possible to write a comment
- Polls not working
- Formulas not visible in dark theme (black on black)
- Not all bookmarks are available
Yes, the application has not been updated since August last year, but still bad. Basically, it needs to be fixed.
Part one. Looking for access.
Quick request to Google "habrahabr API" gives already outdated on github, not updated since November 21, 2016, and this, for a minute, two and a half years.
Ignoring the fact that this is PHP, scroll down and read:
Getting the Application ID
Taking advantage of on Habrahabr, you need to briefly describe the essence of the new application and the purpose for which it needs an API.
Not a question, if you need to get access, then you need to. We write a letter (abbreviated):
Letter
There is a desire to make an application for Habr based on PWA. There are several reasons for this.
First and most obvious: the Android app doesn't meet my personal requirements.
Second: there are not enough native notifications about all sorts of things that usually come to the mail (comments, for example).
Third: personal digests (as a perspective) on people/hubs that interest me, taking into account my interests.
The answer, of course, was not very pleasant, but at least honest:
Unfortunately, access to our API is not available at the moment. We plan to resume providing access after we finish refining the API, but we do not have any exact dates yet, because. we are currently busy with other priorities.
βOkay, no problem! We'll come up with something!" - I said to myself, and began to search.
Part two. Deep excavations.
Based on the logic, if the application is running, then it has access to the API, and it is hardwired into the application. Let's analyze.
Since we are dealing with traffic, Wireshark is our choice. Having connected the phone to the Internet through a desktop computer, not without torment, we open the application and look at the requests:
Clear that nothing is clear
Yes, everything is encrypted, but you donβt want to mess around with cryptography. Then you need to look inside the application itself.
Having decompiled . ApkLet's start looking. What does any API need? Right, endpoint, the place where all requests go. It's probably http(s), let's try to find "https://":
In file AuthLinkManager.smali find
.field OAUTH:Ljava/lang/String; = "https://habrahabr.ru/auth/o/%s/"
.field OAUTH_PARAMS:Ljava/lang/String; = "?client_id=%s&response_type=token&redirect_uri=%s"
.field OAUTH_REDIRECT_URL:Ljava/lang/String; = "http://cleverpumpkin.ru"
This is the code for the android virtual machine (Dalvik VM), not very understandable to a person, but still quite informative. These three constants, judging by their content and name, as well as the GitHub repository, are used to request an access token using the method GET.
Let's look further. The next file that comes up in the search NetworkModule.smali:
const-string v0, "https://habr.com/api/v1/"
And here's the place to go with inquiries!
For the normal operation of a self-written client, it remains to find out only one thing - client_id, which is most likely a unique application identifier.
However, the search for this text in the sources did not lead to finding relevant information ...
But suddenly, in one file, my eyes caught on interesting lines:
const-string p8, "log-tag"
invoke-static {p8, p2}, Landroid/util/Log;->d(Ljava/lang/String;Ljava/lang/String;)I
This, as you can understand, is a log entry. But a record of what?
Part three. Here are the logos!
Use adb logcat to view application logs.
Surprisingly, the logs were even more detailed than expected.
Here we have not only what we need client_idbut token user/application, and login ΠΈ password plain text!
Some conspiracy theoriesIn itself, the presence of a login and password in the logs does not harm anything, since these logs can only be read if you have either root rights or a connection via adb. But due to the fact that among the people reading Habr there are Android developers who may have debugging enabled, this becomes a problem.
In this case, βfree chargingβ at the airport can result in account hijacking, although who needs it?
From these logs you can take out:
client_idΠΈapikeyrequired to access api;- User authorization URL (strange, but there is nothing about this method in the repository, maybe not provided?)
That's how it happened. On the basis of this tiny study, work is already underway on a small project - our own implementation of a mobile application. I ask those who want to help to write in messages, and everyone else to vote (because I want to understand if anyone needs it).
Thank you for attention!
Only registered users can participate in the survey. , you are welcome.
Do you use the Habr mobile app?
-
Yes, I use it, everything suits me
-
Yes, I use it, the app is annoying
-
No, I use the web version on my phone
-
No, I use Habr from a computer
357 users voted. 30 users abstained.
Source: habr.com