Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Bypass Firebase Signature? #161

Open
DrewRidley opened this issue May 12, 2024 · 0 comments
Open

Bypass Firebase Signature? #161

DrewRidley opened this issue May 12, 2024 · 0 comments

Comments

@DrewRidley
Copy link

Hey all,

For applications that use firebase as their primary analytics, authentication or database service, one might want to use apk-mitm to gather better insight into how these applications work.

Unfortunately, when using the patched APK, a production version of firebase can output:

{
	"error": {
		"code": 403,
		"message": "Requests from this Android client application com.someapp.android are blocked.",
		"status": "PERMISSION_DENIED",
		"details": [{
			"@type": "type.googleapis.com/google.rpc.ErrorInfo",
			"reason": "API_KEY_ANDROID_APP_BLOCKED",
			"domain": "googleapis.com",
			"metadata": {
				"service": "firebaseinstallations.googleapis.com",
				"consumer": "projects/some_project"
			}
		}]
	}
}

In these cases, is there any way to spoof the SHA-1 signature such that firebase accepts requests from the patched application?
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@DrewRidley