frida-interception-and-unpinning icon indicating copy to clipboard operation
frida-interception-and-unpinning copied to clipboard

Published 20 hours ago verified publisher icon httptoolkit

com.peacocktv.peacockandroid

Open 89z opened this issue 2 years ago • 5 comments

I start the app, then click Sign In. I enter Email and Password and click Sign In. Then I get:

An error has occurred. Please try again.

I can share account for testing if need be.

89z avatar Oct 17 '22 02:10 89z

Ok, interesting, thanks for reporting that @89z. I'm afraid I don't have much time to look into this myself right now, sorry, but I'll see if I get some time later on or if anybody else here is keen to help out.

Do you have any clues to the underlying issue yet? Both the Frida script logs and your ADB logs from the device would be very useful, especially if there's any related errors listed in there. Or any clues you've found from unpackaging the app and tracing down the failure itself.

pimterry avatar Oct 18 '22 09:10 pimterry

Found this [1]:

Ended up they use their own custom cert that is sent from client requests for certain domains. If the cert isn't there, you get error. This is why the proxied requests would fail.

The cert is hidden and mixed up in code. So couldn't reverse it that way.

However, been getting used to Frida which let's you hook into functions. Managed to hook into the function that uses the cert and then printed the cert out to console. Then into python and success!

but whats weird, is I get the above error, even if not doing MITM. If I run the app from a physical phone, it works. But I just cannot get past the login screen using an emulator, even with the same password.

Frida script logs and your ADB logs

I will try to get this info today.

  1. https://forum.kodi.tv/showthread.php?tid=355867&pid=3075197#pid3075197

89z avatar Oct 18 '22 11:10 89z

Ended up they use their own custom cert that is sent from client requests for certain domains. If the cert isn't there, you get error. This is why the proxied requests would fail.

This makes sense, and I think if they're doing that level of auth it's not uncommon that they'll do checks for emulators etc with SafetyNet or similar and block execution in those environments, which would explain your other issue.

For client certs like these, for any intercepting proxy, you'll need to extract the cert and configure the proxy to use it for upstream connections. For HTTP Toolkit, you can add it on the settings page and configure which hostnames it should be used for there.

pimterry avatar Oct 18 '22 12:10 pimterry

you can try https://github.com/rednaga/APKiD to test the apk for a few possible checks Root-Check detection is yet to be done.

yoshimo avatar Oct 18 '22 17:10 yoshimo

Do either of you have experience rooting a physical device?

Yep, I almost always use rooted physical devices for testing, there's quite a few apps that will refuse to work on emulators.

pimterry avatar Oct 19 '22 16:10 pimterry

Do I need some special software? or can you point me to something to get me started?

89z avatar Oct 19 '22 20:10 89z

You want to buy a phone that you're happy to wipe and potentially brick, for starters (I'd suggest getting something 2nd hand that was popular a couple of years ago).

The specific steps involved vary significantly depending on the device. I would search for docs for devices you're looking at purchasing (before you purchase - there's a few rare models that are not rootable at all).

In general, you usually need to:

  • Flash a recovery image (this lets you hold a special key during boot to get into recovery mode, to flash a full OS) like TWRP
  • Use the recovery image to flash a custom OS like LineageOS
  • Install Magisk and enable root

It's hard to be more specific though, the process changes frequently with new releases of both Android itself and all the rooting/custom ROM projects & tools, and the steps always vary by device too.

Buy something reasonably popular and there'll be 1000 more specific step-by-step guides on google.

pimterry avatar Oct 20 '22 10:10 pimterry

OK I was finally able to get past the login using Android Studio. All my tests until now, I was trying without MITM. I figured I just wanted to try it "normally" first without trying to capture anything. Since that wasn't working, I decided to try MITM just for the hell of it. So I installed Android API 23 with user certificate, no Frida (AKA easy mode). Sure enough, I was able to intercept all requests up to and including the failed login request:

POST https://rango.id.peacocktv.com/signin/service/international HTTP/2.0
content-type: application/x-www-form-urlencoded
x-skyott-device: MOBILE
x-skyott-proposition: NBCUOTT
x-skyott-provider: NBCU
x-skyott-territory: US

userIdentifier=MY_EMAIL&password=MY_PASSWORD

However on the response for that one, I noticed something strange:

HTTP/2.0 429

I played with the request, and for some reason this header is what fucks it up:

x-skyott-device: MOBILE

Use your MITM tool to remove this header, but only from this request, as other requests need the header. For example with MITM Proxy:

set modify_headers '/~u signin.service.international/x-skyott-device/'

then the request works, and you make it to the next screen.

89z avatar Oct 23 '22 03:10 89z