gpsoauth
gpsoauth copied to clipboard
consider newer Android API
the current implementation:
https://github.com/simon-weber/gpsoauth/blob/b22c57a236eb0bd63517cb4c1bf35d3fca35e2c7/gpsoauth/init.py#L134-L152
from what I can tell is based on Android API 19, which is dated around 2013:
https://apilevels.com
have you considered bumping up the implementation? it seems starting with API 21, Google is using something more like this:
POST /auth HTTP/1.1
Host: android.clients.google.com
Accept-Encoding: identity
Connection: Keep-Alive
User-Agent: GoogleAuth/1.4 (generic_x86 LSY66K); gzip
app: com.google.android.gms
content-type: application/x-www-form-urlencoded
device: 3760dcd91...
ACCESS_TOKEN=1&
add_account=1&
device_country=us&
droidguard_results=CgYXdhUgp-PSEFsAAHdU9h5a1xWSAFpFJRNTS5M9AC4R4ZGh9VMLBADDJ6...&
google_play_services_version=11055270&
is_dev_key_gmscore=1&
lang=en_US&
sdk_version=21&
service=ac2dm&
Email=s...&
androidId=3760dcd91...&
Token=oauth2_4%2F0Adeu5BVnTdwNdQyQ97hA6iZKM3KitofkyAKOb3yucDZ0JxPCvMJ3c7y-lmHr...
admittedly, getting that Token value to plug into the request is not simple, but after 10 years it might be time to start thinking about it.
I don't use this library for any of my own projects anymore so I'm not planning on making any major changes to it, but if someone else wants to look into it I can help get things merged.
OK might have hit a brick wall. it seems the /_/lookup/accountlookup
request is protected by a value bgRequest
, which is Google bot-guard protection.
OK I tested again by manually installing Google Play API 21 with the oldest apps I could get working:
package: name='com.android.vending' versionCode='81085000'
versionName='10.8.50-all [0] [PR] 206058588'
package: name='com.google.android.gms' versionCode='205066013'
versionName='20.50.66 (020700-351698872)'
package: name='com.google.android.gsf' versionCode='21'
versionName='5.0.2-1649326'
and I also blocked updates with this filter:
/~u play-apps-download-default.download.by-id/444
but still, the result is the request is protected by Google bot-guard. so I think I am out of ideas, because I am not skilled enough to reverse that.
Aw, ok. I don't think I'll be able to resolve that - it's been ages since I've done anything with Android - but I appreciate the attempt!
@1268 The results from the (500+) tests I did: Parameters: 'add_account' is required for some accounts to prevent an 'UNKNOWN ERROR' (aas token) 'client_sig' is needed if you want a longer expiration time for the token (auth token).
I couldn't find any more errors related to other parameters.
If you want to follow that approach (auth2_4 token) I suggest u to check: https://gitlab.com/AuroraOSS/gplayapi/-/tree/master https://github.com/whyorean/Authenticator (You can make it return the auth2_4 token, but you need to make changes)
OK well as of now I have switched to Android API 21, which means my package no longer supports email/password login:
https://github.com/1268/google/commit/784a2a7ba45352a06ff5213082ce402a61427e9c
I dont think people will like that, but I am not really interested in supporting a 10 year old API any more. also I was able to rip out the custom TLS code, which make the process much better from a coding standpoint. I will leave this open in case @simon-weber or anyone has any ideas on the bot guard.