The (un) official Habr application - HabrApp 2.0: access

    In one languid and already rather boring evening, I, leafing through the official app of the Habr, once again bent my fingers, one for each idle feature. Here, for example, it is impossible to comment, they are denied the right to vote, and in general, why are the formulas not visible on the screen?

    It was decided: you need something comfortable, pleasant, your own. What about your app for Habr?
    Let’s give a few screenshots to understand the situation.

    Somehow it looks like this - of. application

    The list of "inconveniences"
    • You cannot rate a publication whose rating is other than 0
    • It is not always possible to write a comment
    • Surveys do not work
    • The formulas are not visible in the dark topic (black on black)
    • Not All Bookmarks Available

    Yes, the application has not been updated since last August, but still bad. In general, you need to fix it.

    Part one. In search of access.

    A quick request to Google “habrahabr API” is already issued by the obsolete github repository , which has not been updated since November 21, 2016 , and this, for a minute, is two and a half years .

    Ignoring the fact that this is PHP, scroll down and read:

    Get Application ID

    Using  this form  on Habrahabr, you need to briefly describe the essence of the new application and the purpose for which it needs an API.

    It’s not a question if you need to get access, then you need to. We write a letter (in abbreviation):


    There is a desire to make an application for Habr based on PWA. There are several reasons for this. 

    The first and most understandable: the Android application does not meet my personal requirements.

    Second: there are not enough native notifications about all kinds of things that usually come to the post office (comments, for example).

    Third: personal digests (as a prospect) for the people / hubs that interest me, given my interests.

    The answer, of course, was not very pleasant, but at least honest:

    Unfortunately, access to our API is not currently available. We plan to resume providing access after we finish the finalization of the API, but we don’t have any exact dates yet, because at the moment we are busy solving other priority tasks.

    “Okay, it doesn’t matter! We’ll come up with something! ”I told myself, and began to search.

    Part two. Deep excavation.

    Based on the logic, if the application works, then it has access to the API, and it is wired into the application. Let's analyze.

    Since we are dealing with traffic, Wireshark is our choice. Not without torment by connecting the phone to the Internet through a stationary computer, open the application and look at the requests:

    It’s clear that nothing is clear.

    Yes, everything is encrypted, but I don’t want to mess with cryptography. Then you need to look inside the application itself.

    Having decompiled .apk , we begin to search. What does any API need? That's right, endpoint , the place where all requests go. This is probably http (s), try to find “https: //”:

    in the file AuthLinkManager.smaliwe find

    .field OAUTH:Ljava/lang/String; = ""
    .field OAUTH_PARAMS:Ljava/lang/String; = "?client_id=%s&response_type=token&redirect_uri=%s"
    .field OAUTH_REDIRECT_URL:Ljava/lang/String; = ""

    This is the code for the Android virtual machine ( Dalvik VM ), not very clear for humans, but still quite informative. These three constants, judging by their contents and name, as well as the GitHub repository, are used to request an access token using the method GET.

    We look further. The next file to find is NetworkModule.smali:

    const-string v0, ""

    And here is the place to go with requests!

    There is only one thing left to find out for the self-signed client to work properly client_id, which is most likely a unique identifier for the application.

    However, searches of this text in the sources did not lead to finding relevant information ...

    But suddenly, in one file, my eyes caught on interesting lines:

    const-string p8, "log-tag"
    invoke-static {p8, p2}, Landroid/util/Log;->d(Ljava/lang/String;Ljava/lang/String;)I

    This, as you can understand, is a log entry. But a record of what?

    Part three. Here are the logs!

    We use adb logcatto view the application logs.

    Unexpectedly, but the logs were even more detailed than expected.

    Here there is not only the one we need client_id, but also the user / application token , as well as the plaintext login and password !

    Some conspiracy theories
    The presence of login and password logs in itself does not harm anything, since these logs can only be read with either root rights or a connection through adb. But due to the fact that among people reading Habr, there are developers on android who can have debugging enabled, this becomes a problem.

    In this case, the “free charge” at the airport can result in theft of the account , although who needs it?

    From these logs you can make:

    • client_idand apikeynecessary to access the api ;
    • User authorization URL (strange, but there is nothing in the repository about this method, maybe it’s not provided?)

    And so it happened. Based on this tiny study, work is already underway on a small project - its own implementation of a mobile application. If you want to help, please write in messages, and everyone else - to vote (because I want to understand if anyone needs this).

    Thanks for attention!

    Only registered users can participate in the survey. Please come in.

    Do you use the Habr mobile app?

    • 5.6% Yes, I use it, everything suits me 47
    • 24.3% Yes, I use it, the application is inconvenient 201
    • 35.4% No, I use the web version on the phone 293
    • 34.5% No, I use Habr from the computer 285

    Also popular now: