x-acf-sensor-data



  • Hello,
    I working on an ios API and I need to generate a fingeprint "x-acf-sensor-data" but i don't no how. Does anyone have previously used that? or have a idea how I can do?

    Thanks



  • That's akamai protection. You need tons of data gathering, in order to bypass akamai, but it is hard.



  • I have recently been looking into one particular app. I found a separate version which is more vulnerable but still has x-sensor-data header requirements. My understand is it takes FAR to information from the client to generate the sensor-data yourself. Therefore:

    First, without decompiling the APK, open the APK in ByteCode Viewer. This will convert it to Java classes. Do a string search for: CYFMonitor.getSensorData();

    This is the method that returns the sensor data string. If you find this, you find where the app generates it. Once you know where it is, decompile the APK with apktool. This will give you smali. Navigate to the smali file where you found the getSensorData method. Modify the smali code to output the return sensordata string to logs. You could have your application hook to the window that is displaying logs and parse the SensorData string back to your application.

    Also, you could directly alter the class file in Java so instead of it generating a single code, you could place it in a loop to the amount of data strings you need. Then store each sensordata string in a txt file on the mobile device. Then pull the txt file from the mobile to your APPs dir on the computer. And read directly from the txt file. For the app I am reversing, you only get one use out of each sensordata (regardless of if login was right or wrong). So if you were testing for bruteforce vulnerabilities, you would need a sensordata string for every username/email:password combination.

    Source: https://www.reddit.com/r/androiddev/comments/8ncf3j/bypassing_okhttp3_certificate_pinning_in_android/



  • I have the same problem, but the bytecode does not open the app, which you recommend



  • it should open the App using the Drag-Drop feature. you just have to wait for it to load.


  • Banned

    @Fairy i cant find that js in app


  • Banned

    @Fairy i searched for that srting i cant find


Log in to reply