Skip to content

How to reverse engineer app traffic on Android phone

Jump to bottom
fuatakgun edited this page May 27, 2021 · 4 revisions

What you need;

  • Android phone
  • Windows computer (maybe Linux would work but I do not know)

Summary;

  • Modify original UVO app: By default, apps can be disabled to trust only their internal SSL certificate and we are overriding this attribute inside app. You can do this locally on your computer or download it from here. From security perspective, I suggest you to do it yourself so you do not need to rely on me, from laziness perspective, this is good to go :) - https://github.com/shroudedcode/apk-mitm
  • Reinstall modified UVO app: download APK in your phone, enable installing applications from unknown sources (all sources other than Google Play Store is unknown). - captured in previous page
  • Download and Install Fiddler Everywhere (https://www.telerik.com/download/fiddler-everywhere): So, you can listen what your phone is requesting over Kia Servers, what are the parameters and what is the response.
  • Download Fiddler certificate to your phone and trust it: This will enable that Fiddler can decrypt SSL traffic between your modified APK and Kia servers. IF you do not have this certificate installed and trusted in your phone, traffic will be visible as encrypted here.
  • Clear all data from modified APK, restart it, login and play with some commands; start car, stop car, start charge, stop charge, get vehicle status, get trips, refresh data etc. So all traffic will be captured in Fiddler.
  • You can save the traffic records and share with me ([email protected]) directly inside the application but you have to change your password immediately as it will be clearly visible inside these recorded traffic. I do not know how to redact these sensitive information from recorded traffic. If you have enough knowledge, you can skip me and go ahead and implement the code directly. All contributions are welcome.
Clone this wiki locally