jmhobbs
Registration fails
Hi, thanks for creating that tool, I am hoping this will work as soon Desktop app will be deprecated
The registration fails for me, how can I help with debugging it ? I anomized my data.
$ authy-cli register XX ZZZZZZZZZ
2024/03/14 13:04:54 Checking status of account XX-ZZZZZZZZZ
2024/03/14 13:04:55 Account ID is 0
2024/03/14 13:04:55 Device registration request sent to other devices via
2024/03/14 13:04:55 Please accept this request.
2024/03/14 13:04:55 error: json: cannot unmarshal string into Go struct field RegistrationStatus.message of type struct { RequestStatus string "json:\"request_status\"" }
2024/03/14 13:04:55 Writing all HTTP requests to 2024-03-14T13:04:54.har
2024/03/14 13:04:55 !!! THIS HAR MAY CONTAIN SENSITIVE INFORMATION !!!
I am not sure what to share but this is what I got from .har
$ cat 2024-03-14T13\:04\:54.har |jq |grep statusText
"statusText": "406 Not Acceptable",
"statusText": "404 Not Found",
"statusText": "406 Not Acceptable",
Sorry it's not working for you, Twilio has made changes to Authy recently, I guess that broke it. I'll take a look and see if I can figure out the new registration workflow.
Sorry for the delay on this. It looks like Authy updated their API, and I've not been able to intercept traffic where device registration actually succeeds. Emulator failed, next step is a rooted device. I'm not a mobile dev, so it might (continue) to take a while.
Have you considered disassembly of the binary?
I ran the APK through Android Studio but didn't get very far. Nothing jumped out in the HTTP client as new or different, but again, I haven't done mobile development in years 😬
The endpoint strings all look the same, so I assume it's a new header or token, etc.
Do you have any recommended tools or workflows?
@jmhobbs I suggest you using a tool like https://proxyman.io/ so you can see the traffic and the new login experience of the app. Hope it helps
@francotc Thanks for the suggestion. I have attempted a proxy debugger but they pin the TLS cert and also have some Android integrity API stuff going on, so I can't MITM on my phone, and it won't run properly in an emulator.
My current plan is to root my phone when I eventually replace it and do a root level CA for my proxy. Hopefully the root won't prevent the integrity checks from passing, or can be bypassed.
On iOS the cert is not pinned, I was checking and the missing part in your script is Attestation-Access-Token which is generated at the begging, I was able to make the script work intercepting the traffic of an iOS/iPadOS device on the begging to get a valid attestation token (cause as it use some hardware feature i don't know how can be faked), then on proxyman i added a script to added the attestation token on the request and that way it works
@francotc Oh, rad. I've got an old iPad laying around, I'll hook up and see if I can get this fixed up.
Other thing I was checking is that the decrypted_seed it's not the correct one. You know why could be?
- From the fix perspective maybe you could put an input at first to add the Attestation Token
- And I don't know if the expected behaviour with the cli but after few minutes session is closed
I believe it requests a token from here https://api.authy.com/json/devices/access_tokens/fetch and puts the token in an Attestation-Access-Token header with the other requests. But I cannot seem to get the token API to work yet. It keeps returning
{
"message": "Invalid request.",
"success": false,
"errors": {
"message": "Invalid request."
},
"error_code": "60002"
}
This is the POST JSON request I have tried. I found MY_DEVICEID using the ADB command settings get secure android_id.
{
"device_uuid": "authy::[MY_DEVICEID]",
"integrity_token": "",
"platform": "Android"
}
Hopefully sharing this knowledge will get this wonderful app working again.
