Reverse engineering crappy IoT apps is a hobby of mine but a lot of them have started to pin certificates so you cannot see what they are doing behind the scenes. I have put this tutorial together to show how to bypass their concerns on Android 😉.

About the Author

My name is Josh Mulliken and I am a Product Security Engineer at Red Hat. I also maintain an integration for Home Assistant that allows users to control Wyze devices.

The code for that can be found on Github 👇

GitHub - JoshuaMulliken/ha-wyzeapi: Home Assistant Integration for Wyze devices.

Feel free to visit my site if you want to connect!

Requirements

Getting Started

Installing Requirements

  1. Install OWASP Zap brew install owasp-zap

    <aside> ✅ It is available on basically all platforms: https://www.zaproxy.org/download/

    </aside>

  2. Install Frida pip3 install frida-tools

Configure your phone to work with OWASP Zap

  1. Open "Options"

    CleanShot 2021-12-02 at 10.05.19.png

  2. In "Options" click "Local Proxies" and add a new proxy with a IP address that is accessible from the phone.

    CleanShot 2021-12-02 at 10.06.30.png

    NOTE: Be sure to enable "Behind NAT" if you are using a private IP (you should be)

  3. Export the certificate by going to "Dynamic SSL Certificate" and saving the certificate to a path on your machine.

    CleanShot 2021-12-02 at 10.09.26.png

  4. Add the cert to your Android phone. I used adb push and then installed it in settings

  5. Add the proxy to your network config. Go to "Wi-Fi" → click on the ⚙️ next to your network → click on the ✏️ → Proxy change "None" to "Manual and add the IP address and port that you configured in Step 2