gpsoauth icon indicating copy to clipboard operation
gpsoauth copied to clipboard

Published 20 hours ago verified publisher icon simon-weber

consider newer Android API

Open ghost opened this issue 1 year ago • 6 comments

the current implementation:

https://github.com/simon-weber/gpsoauth/blob/b22c57a236eb0bd63517cb4c1bf35d3fca35e2c7/gpsoauth/init.py#L134-L152

from what I can tell is based on Android API 19, which is dated around 2013:

https://apilevels.com

have you considered bumping up the implementation? it seems starting with API 21, Google is using something more like this:

POST /auth HTTP/1.1
Host: android.clients.google.com
Accept-Encoding: identity
Connection: Keep-Alive
User-Agent: GoogleAuth/1.4 (generic_x86 LSY66K); gzip
app: com.google.android.gms
content-type: application/x-www-form-urlencoded
device: 3760dcd91...

ACCESS_TOKEN=1&
add_account=1&
device_country=us&
droidguard_results=CgYXdhUgp-PSEFsAAHdU9h5a1xWSAFpFJRNTS5M9AC4R4ZGh9VMLBADDJ6...&
google_play_services_version=11055270&
is_dev_key_gmscore=1&
lang=en_US&
sdk_version=21&
service=ac2dm&
Email=s...&
androidId=3760dcd91...&
Token=oauth2_4%2F0Adeu5BVnTdwNdQyQ97hA6iZKM3KitofkyAKOb3yucDZ0JxPCvMJ3c7y-lmHr...

admittedly, getting that Token value to plug into the request is not simple, but after 10 years it might be time to start thinking about it.

ghost avatar Aug 10 '23 02:08 ghost

I don't use this library for any of my own projects anymore so I'm not planning on making any major changes to it, but if someone else wants to look into it I can help get things merged.

simon-weber avatar Aug 10 '23 02:08 simon-weber

OK might have hit a brick wall. it seems the /_/lookup/accountlookup request is protected by a value bgRequest, which is Google bot-guard protection.

ghost avatar Aug 18 '23 12:08 ghost

OK I tested again by manually installing Google Play API 21 with the oldest apps I could get working:

package: name='com.android.vending' versionCode='81085000'
versionName='10.8.50-all [0] [PR] 206058588'

package: name='com.google.android.gms' versionCode='205066013'
versionName='20.50.66 (020700-351698872)'

package: name='com.google.android.gsf' versionCode='21'
versionName='5.0.2-1649326'

and I also blocked updates with this filter:

/~u play-apps-download-default.download.by-id/444

but still, the result is the request is protected by Google bot-guard. so I think I am out of ideas, because I am not skilled enough to reverse that.

ghost avatar Aug 20 '23 18:08 ghost

Aw, ok. I don't think I'll be able to resolve that - it's been ages since I've done anything with Android - but I appreciate the attempt!

simon-weber avatar Aug 21 '23 02:08 simon-weber

@1268 The results from the (500+) tests I did: Parameters: 'add_account' is required for some accounts to prevent an 'UNKNOWN ERROR' (aas token) 'client_sig' is needed if you want a longer expiration time for the token (auth token).

I couldn't find any more errors related to other parameters.

If you want to follow that approach (auth2_4 token) I suggest u to check: https://gitlab.com/AuroraOSS/gplayapi/-/tree/master https://github.com/whyorean/Authenticator (You can make it return the auth2_4 token, but you need to make changes)

GRodrig avatar Aug 21 '23 14:08 GRodrig

OK well as of now I have switched to Android API 21, which means my package no longer supports email/password login:

https://github.com/1268/google/commit/784a2a7ba45352a06ff5213082ce402a61427e9c

I dont think people will like that, but I am not really interested in supporting a 10 year old API any more. also I was able to rip out the custom TLS code, which make the process much better from a coding standpoint. I will leave this open in case @simon-weber or anyone has any ideas on the bot guard.

ghost avatar Aug 22 '23 03:08 ghost