Help spoofing X-App-Token of an Android app



I’m trying to spoof the X-App-Token header this app sends in the login request. I tried reverse engineering the app and found out this piece of code is responsible for the generation of this header:

private String getHash(String paramString1, String paramString2, long paramLong)
    throws ApiException
    paramString2 = new SecretKeySpec(paramString2.getBytes(), "HmacSHA1");
      paramString1 = this.apiContext.getApiFormatting().format("%1$s:%2$s", new Object[] { paramString1, Long.valueOf(paramLong) });
      Mac localMac = Mac.getInstance("HmacSHA1");
      paramString1 = new String(Hex.encodeHex(localMac.doFinal(paramString1.getBytes()))).trim();
      return paramString1;
    catch (NoSuchAlgorithmException paramString1)
      throw new ApiException("Failed to hash key.", paramString1);
    catch (InvalidKeyException paramString1)
      throw new ApiException("Invalid key.", paramString1);

And then this one combines them all (paramString1 and paramString2) together:

private String getSignature(String paramString1, String paramString2)
    throws ApiException
    long l = System.currentTimeMillis() / 1000L;
    return this.apiContext.getApiFormatting().format("%1$s:%2$s:%3$s", new Object[] { paramString1, Long.valueOf(l), getHash(paramString1, paramString2, l) });

Here’s an example of the final header it generates:

X-App-Token: hha821a001pa1nhff0:1521012658:de1099e6ae51a529eb3b88711b7968ccea90f7d0

The header once generated is only valid for ~15 min. I want to spoof this header so that I can always generate a valid header which is always accepted by the server myself.

If there is something else (like a Java class or object or anything) that I’ve not included here and is required in order to spoof the header, just say, I’ll provide for it (Or you can also reverse engineer the app I’ve linked above and get it yourself because I’m not that good at this stuff). I don’t know Java much (not at all) so I thought why not ask the pros.

(Not a N00b, but still learning) #2

I would be happy to help, but I need the values of paramString1 and paramString2(method call) Unfortunately the APK-DL service seems to be out of quota today. Can you upload the APK somewhere?


Thanks for the reply and here you go.

(system) #4

This topic was automatically closed after 30 days. New replies are no longer allowed.