WoBike icon indicating copy to clipboard operation
WoBike copied to clipboard

Published 20 hours ago • verified publisher icon ubahnverleih

Add new provider: Movo

Open lucmartinon opened this issue 5 years ago • 5 comments

Hello there! Thanks a lot to everybody who participated in this repo, this is a gem!

Movo is a provider of e-scooters in Madrid and different cities of South America.

From what I see with charles:

  • the OTP to check phone number is managed by Facebook (Account Kit)
  • when the map is loaded there is a request to s0.movo.me, but looking for this string in google and in github brings no result, I'm a bit out of ideas how to find more details.

lucmartinon avatar Sep 29 '19 07:09 lucmartinon

If you're using a web proxy, you just need to trace the requests made by the app. Since it sounds like you're already using Charles, just trace the steps of the application. I'm not sure how Facebook's authentication works with movo, but all that is important is that you somehow get an access token for movo, assuming there is one.

You should be able to find a POST request made to that url s0.movo.me at some endpoint, which probably has a JSON body like:

{
   "token": "xyzxyzxyzxyz"
}

I have no idea what it actually looks like, but you just need to be able to trace the body and headers made with the POST request to get scooter locations.

mitmproxy might be more friendly than Charles, and here is a good medium post on getting started with it.

bransonf avatar Oct 01 '19 05:10 bransonf

hum, as far as I can see, with Charles I cannot see the details of the https traffic, so the only thing I get is the server name, although certificate is installed on my device. With MITM the app sees that there is a proxy and stops totally the communication. So for now I'm a bit blocked, will keep trying though.

lucmartinon avatar Oct 02 '19 07:10 lucmartinon

For me I got a GET request to https://core.2hire.io/v4/user/api/sharing/vehicle

Query Headers:

  • Authorization: Bearer <token>
  • x-SERVICE-TOKEN: <anotherToken>

Query Params:

  • filters: <JSON-SeeBelow>
  • site: 10

Here is a example for the "filters" parameter: { "_self" : { "longitude" : [ -3.7166256672308293, -3.6881143327691177 ], "type" : [ "kick", "scooter" ], "latitude" : [ 40.397951408697942, 40.435403379517375 ] } }

jhoogstraat avatar Oct 04 '19 13:10 jhoogstraat

@jhoogstraat very cool, thanks! could you describe how you did it? by chance have you also catched the request for the One Time Password that allow to get the tokens ?

thanks!

lucmartinon avatar Oct 04 '19 13:10 lucmartinon

The login process seems to be a bit more involved as it uses Facebooks AccountKit.

The most important Request seems to be to https://core.2hire.io/v4/user/login/accountkit But the request body contains some code from AccountKit.

Query params are:

  • Authorization: <No Content?!>
  • SERVICE-TOKEN: <longToken>

Query body contains: code=<VeryLongCode>

The response looks something like this: { "status" : true, "error" : null, "data" : { "token" : { "expire" : 1425744595164, "UserId" : 111111, "id" : 1234567, "code" : <token>, "clientType" : 0, "created_at" : "2019-10-04T15:12:11.000Z", "updated_at" : "2019-10-04T15:12: 11.000Z", "unlimited" : false } } }

I have no experience with AccountKit. Someone else might be able to help here.

I logged the requests with FLEX for ios.

jhoogstraat avatar Oct 04 '19 14:10 jhoogstraat