Reverse engineering crappy IoT apps is a hobby of mine but a lot of them have started to pin certificates so you cannot see what they are doing behind the scenes. I have put this tutorial together to show how to bypass their concerns on Android 😉.
My name is Josh Mulliken and I am a Product Security Engineer at Red Hat. I also maintain an integration for Home Assistant that allows users to control Wyze devices.
The code for that can be found on Github 👇
GitHub - JoshuaMulliken/ha-wyzeapi: Home Assistant Integration for Wyze devices.
Feel free to visit my site if you want to connect!
Rooted Android Phone
<aside> ⚠️ Since the app's we are interested in are not debuggable we have to be root
Install OWASP Zap
brew install owasp-zap
<aside> ✅ It is available on basically all platforms: https://www.zaproxy.org/download/
pip3 install frida-tools
In "Options" click "Local Proxies" and add a new proxy with a IP address that is accessible from the phone.
NOTE: Be sure to enable "Behind NAT" if you are using a private IP (you should be)
Export the certificate by going to "Dynamic SSL Certificate" and saving the certificate to a path on your machine.
Add the cert to your Android phone. I used
adb push and then installed it in settings
Add the proxy to your network config. Go to "Wi-Fi" → click on the ⚙️ next to your network → click on the ✏️ → Proxy change "None" to "Manual and add the IP address and port that you configured in Step 2