Development Stack

[rhart211]

@NodeJSmith How are you monitoring API calls from the OTF app during development? Specifically, are you using a proxy (like Burp) with the Xcode iOS emulator, or another method? Curious to learn your approach. Thanks!

[NodeJSmith]

I use Android and Windows/Linux so I don't have any familiarity with Xcode or any other ios tools. I did try doing some mitm network snooping but didn't have much luck. I ended up pulling the apk and decompiling it with jadx and have spent a lot of time going through the codebase to find the API calls and data models.

The difficult thing is that 1) the data models are downright awful, they are super inconsistent and sometimes inaccurate and 2) there is a ton of logic being done on the client side and reading through decompiled Java to figure out the logic is a huge pain in the ass. So there are likely more things like the studio on the performance summary that this package is lacking, because it's handled client side and I've really only recreated the straight api calls and data models.

[marcelbarbulescu]

ProxyMan on macOS successfully proxied the OTF app in an Android simulator but required APK patching with apk-mitm.

[NodeJSmith]

Does that just allowing seeing the network traffic going in and out of the app? I'm trying to determine if it's worth my time to get it working, since I've already handled 90% of the api calls.

What I'd really benefit from the most now is a way to see what the input/output of method calls is, for the local data manipulations that are required to display most of the screens.

[marcelbarbulescu]

Just the network traffic. Think of the Network tab in the Chrome DevTools.

[rhart211]

@marcelbarbulescu That's a good idea. I didn't think about using the Android Emulator. I had thought about using the iOS Simulator found within Xcode, but you can't install apps from the Apple App Store unfortunately. My thought was to do the same that you did, but using the proxy in the Burp Suite. You could use this method on an actual phone because Burp does provide the CA so that you can decrypt the SSL traffic.

@NodeJSmith Like @marcelbarbulescu says, it would purely network traffic that you would see. You could how the data is requested and returned. But I think you've figured that out already.

[NodeJSmith]

Wanted to give an update here - I have had to dig into this more, as just reading the source code was no longer enough to answer some of my questions. I'm now using an android emulator docker image budtmo/docker-android:emulator_9.0 and frida to get what I need.

I'm happy to share more information or my setup script if it'd be helpful, I have a little script that setups up my environment and then i just run frida-trace from my shell, which has been enough for now but may need to be expanded upon, especially with this PITA SigV4Auth issue on the new endpoints.

[NodeJSmith]

Update to my update - I didn't even need to be digging into the SigV4Auth, the endpoints I was working on didn't even use it, I was just dumb. But still glad I got the emulator and frida set up

[rhart211]

Thank you. If you don't mind sharing your setup script that would be great. I'd love to see what's happening behind the scenes as well. I've never used frida before, so that's new too.

Is this docker container easier to use than the emulator in Android Studio?

[rhart211]

@NodeJSmith and @marcelbarbulescu did you patch the entire app bundle using apk-mitm? I did that by zipping the base and the split apk's together, which seemed to work and allowed the app to be installed. However, when I click on sign-in, the app crashes. How did you get around this issue? Or did you do it a different way? Thanks

[NodeJSmith]

@rhart211 Here's a gist of my run.py: https://gist.github.com/NodeJSmith/5fdcaeff52adb8931a6238fd37d6d680

the package name for the app is "com.orangetheoryfitness.orangetheory". Sounds like you have the split apk already, so you'll just need to point the script to that directory and ensure you have docker installed and adb installed/accessible from path, plus you'll need the frida server binary - I believe this is the one that I am using. You'll need to have the frida-tools package installed too, and it will need to be at the same version.

It is easier than using android emulator because the whole thing is easier to spin up/down as desired, and you can access the emulator through http://localhost:6080/ (by default)

I think with the gist and this comment + some ChatGPT, if necessary, you should be able to get up and running