Reverse engineering crappy IoT apps is a hobby of mine but a lot of them have started to pin certificates so you cannot see what they are doing behind the scenes. I have put this tutorial together to show how to bypass their concerns on Android 😉.

About the Author

My name is Josh Mulliken and I am a Product Security Engineer at Red Hat. I also maintain an integration for Home Assistant that allows users to control Wyze devices.

The code for that can be found on Github 👇

GitHub - JoshuaMulliken/ha-wyzeapi: Home Assistant Integration for Wyze devices.

Feel free to visit my site if you want to connect!

Requirements

• OWASP Zap

• Frida

• Rooted Android Phone

  <aside> ⚠️ Since the app's we are interested in are not debuggable we have to be root

  </aside>

Getting Started

Installing Requirements

1. Install OWASP Zap brew install owasp-zap

   <aside> ✅ It is available on basically all platforms: https://www.zaproxy.org/download/

   </aside>

2. Install Frida pip3 install frida-tools

Configure your phone to work with OWASP Zap

1. Open "Options"

   

2. In "Options" click "Local Proxies" and add a new proxy with a IP address that is accessible from the phone.

   

   NOTE: Be sure to enable "Behind NAT" if you are using a private IP (you should be)

3. Export the certificate by going to "Dynamic SSL Certificate" and saving the certificate to a path on your machine.

   

4. Add the cert to your Android phone. I used adb push and then installed it in settings

5. Add the proxy to your network config. Go to "Wi-Fi" → click on the ⚙️ next to your network → click on the ✏️ → Proxy change "None" to "Manual and add the IP address and port that you configured in Step 2