I should have mentioned, although app is for GDO but you can control a virtual presence sensor via webhook and define geofences anyway you like giving you fairly precise control all the way to <100 ft distance.
So I think I got this working (temporarily) for now. Here's what I did:
- Commented out lines 229-257 in the listCircles method, since this API call is blocked. This allowed the main app page to load and get past the "login error", since that API call appears to be blocked. I was then able to add my son as a "device" (was previously missing in my hub as he recently got a new phone and we installed Life360 on it).
- Installed the "WebProxyTool" app on my iphone, and then used it to review the calls made from the Life360 app to api-cloudfront.life360.com. From here, was able to find my current "Bearer token" (it appears in almost every API call).
- Added a line of code at the top of the "updateMembers" function to set the "state.life360AccessToken" to the token I found.
Doing this, I was able to add my son as a "device" (he recently got a new phone) using the Life360+ Hub app, and then since the "updateMembers" function still appears to be working, my Hub can now obtain our family information to determine if we are home or away.
Here's what I discovered in trying to get this to work:
- It appears the Life360 API Token is long-lived. No idea how long it lasts or if it expires, but it appears that one you login to the app on your phone, that token is stored and used for all API calls.
- I tried to capture the API calls using the WebProxyTool app when logging into the app, but those calls appear to be blocked. I noticed the same thing trying to login on my laptop and tried to capture using Fiddler. My best guess is that these HTTPS capture tools are stripping off headers related to CAPTCHA, and therefore the API call is blocked if those are not provided. Not sure how to get around this. (Also noticed GMAIL would not send emails if the WebProxyTool was turned on).
- It appears that only the Life360 authentication and list circles API calls are blocked. All other API calls seem to work fine.
- As long as you have your circle ID and your token, you can then continue to use the API, just like the iOS app does.
Hope this helps in fixing this app and continuing to troubleshoot. I really would prefer continuing to use Life360.
4 Likes
Thanks for posting these details! Yeah I also hope it can help with finding a solution.
My token is still going - the last time I logged in (in Hubitat app) was in December I believe. So, it's good that this value isn't changing very often at least.
2 Likes
Mine appears to be working even though reporting login error.
I switched to C8-Pro - 1/25 as the logs stopped then. When I restored my setup Life360 was not able to login due to the change mentioned.
So I wrote it off and installed the GeoFency to test.
This morning I opened up the phone app. I was already logged into the phone app and it was working fine.
Then I noticed that my 5 sensors for family members all reported. The Hubitat app is not logged in - showing unable to login error.
And then when I check the logs of the sensors further I find that they started updating on 2/2 and continued through 2/4. Then stopped again. And then started this morning when I opened the phone app.
So it is updating even though the app says error logging in. The app doesn’t appear to have anything in events or a way to turn on logging when not logged in? Not sure if this is helpful but curious what is going on? Thanks.
The app tries to fetch your circles when you open it and this call fails now; that's why you get the Login Error.
However, if you were previously logged-in, the app will continue to use the same auth token to fetch device updates and that still works fine for some people. It will likely stop working eventually.. you can force it by logging out of the phone app and logging back in.
My devices were also working fine but I wanted to test out capturing packets as mentioned above. I logged out of the phone app and when I logged back in the app said something about logging out other connected devices (which I assume was the Hubitat app).
I also hadn't verified my phone number either previously but did so this time. So long story short the Hubitat app doesn't work for me anymore.
I have Android and installed PCAPdroid to try and do the same thing. I setup the SSL certificate to capture SSL requests and captured a Life360 login. I haven't done this in many years so I'm going to need to figure out how to decipher it..
In any case, I do notice that if I login by either phone number or email I get a 2FA code sent to my phone. I'm guessing that will be necessary for any solution that can be found... I do know of 1 Hubitat app, Blink, that also requires you to input a 2FA code so that might help to find a solution...
Is anyone able to get this to work, I am not compleatly understanding what is going on. I got an email back saying that 360 has no interest in allowing home automation or API access anymore.
I tried the same thing (also Android user) but didn't have any luck. The Life360 app doesn't respect user certificates so I wasn't able to capture any decoded Life360 traffic. If you have a rooted phone you could probably install the cert as a system cert to get it to work. I tried a few other approaches (fiddler, http toolkit) but all had the same result - couldn't decode the traffic with any of them.
Ok that's good to know. My phone is rooted so I could try that.
1 Like
Some possible good news on this front.. I was able to login and capture what was sent/received and it doesn't look too complicated.
I'm writing down the details now and will look at how to update the Hubitat app but I'm by no means a groovy developer so I might need some help in that area.
It would need to change somewhat as the flow I'm looking at is something like this:
- enter your phone number (there's a email login too but I just started with a phone number login)
- enter a OTP code that you receive via SMS
For this case you will need to make sure your Life360 user has the phone number verified. I'd also recommend creating a separate user and adding them to your family so there's not multiple devices (phone & Hubitat) accessing the same user account.
Anyway, I wanted to at least give a heads-up that I started looking into this and there's at least some promise it can get back and running again!
8 Likes
rats.. I thought that was going well but apparently not as I was blocked while testing this. I was careful but clearly not careful enough!
<p data-translate="blocked_why_detail">This website is using a security service to protect
itself from online attacks. The action you just performed triggered the security solution.
There are several actions that could trigger this block including submitting a certain word
or phrase, a SQL command or malformed data.</p>
</div>
I'll post what I learned here in case anyone else has an idea how to proceed:
step 1: login with phone number
POST https://api-cloudfront.life360.com/v5/users/signin/otp/send
{
"countryCode": "1",
"nationalNumber": "2223334444"
}
Just calling this API isn't enough as there are several HTTP headers that are also set. I'll post the ones I think are helpful below with some of the data changed (XXX).
Authorization: Basic Y2F0aGFwYWNyQVBoZUtVc3RlOGV2ZXZldnVjSGFmZVRydVl1ZnJhYzpkOEM5ZVlVdkE2dUZ1YnJ1SmVnZXRyZVZ1dFJlQ1JVWQ==
ce-id: 545eed0c-ba3c-40b2-8310-XXX
ce-source: /ANDROID/14/Google-Pixel-7/XX-41b1-4cf0-be77-XXX
ce-specversion: 1.0
ce-time: 2024-02-08T14:54:34.860Z
ce-type: com.life360.device.signin-otp.v1
Host: api-cloudfront.life360.com
User-Agent: com.life360.android.safetymapd/KOKO/24.5.0 android/14
X-Device-ID: XX-41b1-4cf0-be77-XXX
- The X-Device-ID header is some unique ID for your device. I was going to just create one using
UUID.randomUUID().toString()in the app. - the
ce-*headers are probably the 'security' part of this.. I'm not sure where these values are created but they do change over time
Anyway, I was able to request the OTP code once in Postman successfully. But, the second time I tried with the same values I was banned so clearly that's not good enough.
I captured the other API requests but figuring out this one is the key to the rest...
1 Like
Hi,
Is this still not working? I noticed today Life360+ update in HPM so I had a little hope it is fixed (?)
all my devices stopped reporting since Feb. 5.
It works for some, but not for others.
For example, my log is full of error messages (a mix of 408 and 502), but the presence is updated correctly.
It seems that if you were logged in before the change was made on their end, then you are ok. But if you logged out and back in again it will fail. In my case I installed a C8-Pro and in so doing forced a re-login and it failed.
Noticed that as well, but still going strong for me. I don't rely on it anymore, so I'm just keeping it to see how long it goes before fully dying, for the fun of it 
1 Like
Mine just broke as well.
What do you use instead? Everything else I have tried is just not as reliable.
Google presence is rock solid my wife and I
Unexpectedly, mine still works after migrating from C7 to C8P a few days ago. The app says that I have a login error, but the values are changing correctly. Also, "LIfe 360+" no longer appears in the "Produced by" column of the Events page for the presence device.
1 Like
I'm guessing the migrate just saved and restored the access token which still works. I hope someone comes up with a fix but seeing how difficult Life360 made it I'm not holding my breath.
There's several options -- all with pros and cons (and their own support thread I imagine too)
If you want a Life360 replacement (ie: family tracker), OwnTracks seems to be a popular one. I'm planning on switching my family to this at some point
1 Like
