The Process of Reverse Engineering the August Lock API

Charles Proxy with login session response

August API Responses

I started monitoring traffic from a fresh install of August so I know I’m not missing any API requests fired on the first launch. Once I logged in, I started loading all the various screens and interacting with the app as much as possible to give me a broad overview of various aspects of the API calls. I then logged out and back in again to see if anything changed from the initial login. While the first time sent me a login validation code, the second time did not. Validation appeared to be tied to an “installId” UUID being sent on the login request which was indicated in a slightly modified response on the second login.

eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJpbnN0YWxsSWQiOiIwMDAwMDAwLTAwMDAtMDAwMC0wMDAwLTAwMDAwMDAwMDAwMCIsImFwcGxpY2F0aW9uSWQiOiIiLCJ1c2VySWQiOiIwMDAwMDAwLTAwMDAtMDAwMC0wMDAwLTAwMDAwMDAwMDAwMCIsInZJbnN0YWxsSWQiOnRydWUsInZQYXNzd29yZCI6dHJ1ZSwidkVtYWlsIjpmYWxzZSwidlBob25lIjpmYWxzZSwiaGFzSW5zdGFsbElkIjp0cnVlLCJoYXNQYXNzd29yZCI6dHJ1ZSwiaGFzRW1haWwiOnRydWUsImhhc1Bob25lIjp0cnVlLCJpc0xvY2tlZE91dCI6ZmFsc2UsImNhcHRjaGEiOiIiLCJlbWFpbCI6WyJlbWFpbDpteWVtYWlsQGdtYWlsLmNvbSJdLCJwaG9uZSI6WyJwaG9uZTorMTU1NTU1NTEyMzQiXSwiZXhwaXJlc0F0IjoiMjAxNi0wNi0wM1QwODozOTo0OC4zNzdaIiwiTGFzdE5hbWUiOiJCcm93biIsIkZpcnN0TmFtZSI6Ik5vbGFuIn0NCg.twlSVoeaUm_EEOikRXxaAICPQNng
{“typ”:”JWT”,”alg”:”HS256"}
{
"installId": "0000000-0000-0000-0000-000000000000",
"applicationId": "",
"userId": "0000000-0000-0000-0000-000000000000",
"vInstallId": true,
"vPassword": true,
"vEmail": false,
"vPhone": false,
"hasInstallId": true,
"hasPassword": true,
"hasEmail": true,
"hasPhone": true,
"isLockedOut": false,
"captcha": "",
"email": [
"email:myemail@gmail.com"
],
"phone": [
"phone:+15555551234"
],
"expiresAt": "2016-06-03T08:39:48.377Z",
"LastName": "Brown",
"FirstName": "Nolan"
}

Android App

I downloaded the August Lock APK and decompiled it giving me a very nicely formatted source code for the Android app. It was a large-ish code base (roughly 43,6072 LOC, most of that code wasn’t from August but I still had to dig through it all) and not everything was able to be decompiled into readable variables or class names. I decided to start by searching the source code for something I knew was hardcoded such as the token header. I found the header being set in the main API file and worked my way back from there finding a class that neatly contain every endpoint for the August API (many of which I had not seen in my logs) and some interesting functions available in a Utilities class.

--

--

Making and breaking things for most of my life. Tw: @nolanbrown IG: @nolan

Love podcasts or audiobooks? Learn on the go with our new app.

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Nolan Brown

Nolan Brown

Making and breaking things for most of my life. Tw: @nolanbrown IG: @nolan