I was reading through the de-obfuscated code using jadx but I think it’s easier to just sniff the communication using mitmproxy. Since the
client_secret are sent in plain-text it’s possible to extract. Unfortunately Velux has certificate pinning enabled which means sniffing the traffic requires patching the APP.
Steps required for patching the Android APK:
- Get the APK (either download it form some shady websites or use some apk share/backup app)
- Get apktool
- unpack with
apktool d com.velux.active_18.104.22.168-all-arm64-v8a.apk
- Remove certificate pinning from
- add instead
<trust-anchors><certificates src="system" /><certificates src="user" /></trust-anchors>
- Build the apk again with
apktool b -o /tmp/test.apk com.velux.active_22.214.171.124-all-arm64-v8a
- Sign the apk with a developer key:
apksigner sign -ks ~/android.jks --in /tmp/test.apk --out /tmp/com.velux.active_126.96.36.199-all-arm64-v8a_signed.apk
- install the APK
adb install /tmp/com.velux.active_188.8.131.52-all-arm64-v8a_signed.apk
Now the network sniffing part:
- start mitmproxy on your laptop (for example on ip 192.168.1.10)
- Install the mitmproxy certificate in android as user certificate (you can find it in
- set android proxy ip to your laptop:
adb shell settings put global http_proxy 192.168.1.10:8080
You should see network traffic coming through the mitmproxy and you can see the oauth token exchange when you open the velux app and all other API calls.
In case you have blinds and windows I would be interested how the API looks like. I would be very happy if you have any mitmproxy traces for me! (double check if they contain any private data before sending! I will not publish any traces but you can’t trust strangers).
Once you’re done delete the proxy settings, restart your phone double check there are no new calls in mitmproxy and stop the proxy. Uninstall the patched velux app and reinstall from the play store.
You can delete proxy settings using:
$ adb shell settings delete global http_proxy 192.168.1.10:8080
$ adb shell settings delete global global_http_proxy_host
$ adb shell settings delete global global_http_proxy_port
I can understand this all looks incredible complicated but I was surprised to be easier than expected. Nevertheless I hope there will be a easier way eventually.