Get mobile app source code encrypted by IBM MobileFirst

Get mobile app source code encrypted by IBM MobileFirst
Posted on
Jul 04, 2022

Hey! I'm Roman, CTO at Techvice. Sometimes I do mobile apps reverse engineering to access APIs and reproduce queries in Python or NodeJS code. This is necessary to create a data scraper. In one of the recent scraped apps I noticed traces of using IBM MobileFirst.

IBM MobileFirst (or IBM Mobile Foundation) is a platform for developing, optimizing, integrating and managing secure mobile applications.

Disclaimer

  1. I won't mention here the name of the application.

  2. The IBM site documentation notes that this protection doesn’t provide unbreakable encryption, but provides a basic level of obfuscation.

Application Analysis

Firstly, I tried to intercept traffic between the mobile application and the server using mitmproxy. But I got an error because the application uses SSL pinning.

To disable SSL pinning, I used the Frida utility. Here’s one of the examples Frida's scripts to bypass SSL pinning - https://codeshare.frida.re/@pcipolloni/universal-android-ssl-pinning-bypass-with-frida/.

I tried to use frida scripts we created for applications we explored before, but nothing worked. This application probably has a custom SSL pinning implementation for which my past practice doesn’t work.

Application Decompilation

For decompiling Android applications I used JADX.

[email protected] some_app % jadx -d ./source_code ./some_app.apk 
INFO  - loading ...
INFO  - processing ...
ERROR - finished with errors, count: 25

At the output, JADX gave us 2 directories: resources and sources. Let's take a look inside the source.

[email protected] some_app % ls -la source_code/sources 
total 0
drwxr-xr-x  18 techvice  staff   576 Jun 27 15:18 .
drwxr-xr-x   5 techvice  staff   160 Jun 27 15:19 ..
drwxr-xr-x   3 techvice  staff    96 Jun 27 15:18 a
drwxr-xr-x   4 techvice  staff   128 Jun 27 15:18 android
drwxr-xr-x   5 techvice  staff   160 Jun 27 15:18 androidx
drwxr-xr-x   3 techvice  staff    96 Jun 27 15:18 b
drwxr-xr-x  33 techvice  staff  1056 Jun 27 15:18 c
drwxr-xr-x  19 techvice  staff   608 Jun 27 15:18 com
drwxr-xr-x   3 techvice  staff    96 Jun 27 15:18 cordova
drwxr-xr-x  23 techvice  staff   736 Jun 27 15:18 d
drwxr-xr-x   4 techvice  staff   128 Jun 27 15:18 de
drwxr-xr-x   3 techvice  staff    96 Jun 27 15:18 defpackage
drwxr-xr-x   3 techvice  staff    96 Jun 27 15:18 e
drwxr-xr-x   3 techvice  staff    96 Jun 27 15:18 im
drwxr-xr-x   3 techvice  staff    96 Jun 27 15:18 net
drwxr-xr-x   3 techvice  staff    96 Jun 27 15:18 nl
drwxr-xr-x   5 techvice  staff   160 Jun 27 15:18 org
drwxr-xr-x   3 techvice  staff    96 Jun 27 15:18 uk

In the sources directory of the decompiled application, there is a Cordova directory. Well, we know what we are dealing with now.

Applications built on Cordova are regular web applications that run on the Chromium engine. JS, CSS and HTML files required for the application work located in the `resources/assets/www` directory. I open this directory and see…

Archives
Archives

Surprise! Instead of the expected HTML, CSS and JS files, I saw a zip archive split into several parts.

Of course, I tried to unpack it, but, as expected, I got an error that the archiver was unable to do this.

Getting Source Code

Firstly I looked for the encryption key, tried to research how the encryption/decryption algorithm works. A few hours later it struck me…

Idea
Idea

Previously I said that Cordova applications are regular web applications running on the Chromium engine. But Chromium can't decompress and decrypt zip archives! So, before the application starts, this archive should be unpacked somewhere.

I launched the app on the Android Emulator. Using SSH I connected to the emulator shell and executed a couple of bash commands like find . -name index.html . After a few minutes, I managed to find a place on the file system where the encrypted zip archive is unpacked.

This is what the source code looks like.

Files
Files

Final Thoughts

I clicked on index.html, which opened in Chrome browser. Then at the Network tab in Chrome Dev Tools (to open press F12) I found all the requests that the application makes to the server.

Tired of getting blocked while scraping the web?

Try out Web Scraping API with proxy rotation, CAPTCHA bypass, and Javascript rendering.

  • 1,000 Free API Credits
  • No Credit Card Required
  • 30-Day Trial
Try now for free

Get structured data in the format you need!

We offer customized web scraping solutions that can provide any data you need, on time and with no hassle!

  • Regular, custom data delivery
  • Pay after you receive sample dataset
  • A range of output formats
Get a Quote
Roman Milyushkevich
Roman Milyushkevich
Roman Milyushkevich’s profile

I'm a big believer in automation and anything that has the potential to save a human's time. Everyday I help companies extract data and make more informed business decisions for reach their goals.

Request a Quote

Tell us more about you and your project information.