Ad

How To Decrypt Firebase Requests To App-measurement.com

We noticed that our iOS app is sending requests to http://app-measurement.com. The body seems to be encrypted or compressed though

:method: POST
:scheme: https
:path: /a
:authority: app-measurement.com
accept: */*
content-type: application/x-www-form-urlencoded
content-encoding: gzip
accept-language: en-gb
content-length: 371
accept-encoding: br, gzip, deflate


 ;

_uwa

_pfoq


_oauto

_r

_c_fݶ- 
...

I already checked if it's gzip but that doesn't seem to be it.

Does anyone know how to decrypt this to be able to see the request content?

Ad

Answer

It's a gzip compressed protobuf. With decoding tools you can see all the values and types which can be useful. Though without the .proto definition it's a struggle to figure out what it all means.

To decode the request, first get it in the raw form. I do this by exporting a HTTP .trace file and extracting just the body. I've had better luck doing the gzip decompression myself.

Once you have the raw request body, decode it like this:

$ gunzip - < request_body > request_uncompressed.bin
$ protoc --decode_raw < request_uncompressed.bin

Here's a simple CyberChef formula that also decodes it for you: https://gchq.github.io/CyberChef/#recipe=Gunzip()Protobuf_Decode('',false,false)

When it works you'll see the raw protobuf values. They'll look something like this (actual values randomized):

1 {
  1: 1
  2 {
    1 {
      1: "_si"
      3: 161212808641
    }
    1 {
      1: "_et"
      3: 57
    }
    1 {
      1: "_sc"
      2: "SomeControllerName"
    }
    1 {
      1: "_o"
      2: "auto"
    }
    2: "_e"
    3: 161236824
    4: 163120534
  }
  2 {
    1 {
      1: "_si"
      3: 1358166110
    }
    1 {
      1: "_sc"
      2: "SomeControllerName"
    }
    1 {
      1: "_o"
      2: "auto"
    }
    2: "_ab"
    3: 161336826
    4: 163123680
  }
  3 {
    1: 163129524107
    2: "_fi"
    4: 1
  }
  3 {
    1: 15514295
    2: "_fot"
    4: 15514241
  }
  3 {
    1: 1530783276
    2: "_sid"
    4: 1530783376
  }
...
  8: "ios"
  9: "13.5"
  10: "iPhone12,3"
...
Ad
source: stackoverflow.com
Ad