This github issue briefly talks about how I reversed some of the Ring APIs.
In summary, if you are dealing with pinned certs you can:
- Decompile the app and put in your own certificate
- If they use OOB (Android SDK) pinning there are XPosed modules (and other projects) to be able to circumvent the certificate by hijacking parts of the OS. Root is required on a device to do this.
I've set up a couple of ways to handle unpinning but the setup that I am most happy with is:
- Nexus 4 (running Pure Nexus ROM 7.1.2 because Nexus 4 is easy to root and had lots of users so lots of options)
- XPosed framework (version 89 in my case)
- "SSL Unpinning 2.0" module
- WiFi proxy server in settings to a Fiddler 4 proxy server to decrypt HTTPS traffic
- The fiddler 4 certificate installed as a "Trusted credentials" certificate at the OS level
So, if they don't pin a certificate I have the Fiddler 4 certificate trusted by the OS. If they do pin a certificate then I have the XPosed module to unpin.
All of these methods may fail if they decided to implement certificate pinning without using the provided framework. OR... if they sign the APK with a different certificate and check the security signing (this is actually built into new Android versions and that's why I use 7.1.2). Or they did something else proprietary to check tamper or security. I've had this happen and it happens more frequently lately.
If it DOES happen though... You can still decompile their code. I just read what's going on and piece it together. This takes a lot more time than sniffing traffic typically though.
Decompiling even fails if it's not in Java e.g. they include a C++ binary and invoke that. Then... well, you can still decompile but it's miles more difficult. I'm not good at decompiling C/C++ code but there are so many tools to do it. It's a job by itself though.
Does Wyze have a web app at all? Even if it doesn't have a lot of functionality? If so, you can go at that. It's easier. If you are just looking at the camera part of Wyze you can try a weaker app that has already figured it out. For example, I think there is an app in Android called tinyCam that has Wyze camera support.
Of course, all of this is done for educational purposes only. Security auditing.
