hacker
android

Hack your way into the Misfit

Leave a comment

Looking into the messy and promising world of IoT

And of course, all the other wearable devices (well, I won’t explain for them right here but the list is very long and not limited to : the Vivofit, Vivofit 2, your educational radar (yeah those one telling you in RED that you are currently over-speeding the 50Km/h limit BY 1Km/h !), etc…

But Here we are… I was given a Misfit Flash device few weeks ago and after some research on Google (I really like the filters 😉 inurl, etc…), I finally grabbed a SDK – the first one I found was limited – in parallel, I also checked on the website how could I grab the official SDK since I really wanted to work on my own app to perform those actions :

  • Grab my sleepin’ information
  • Show me how well I worked out during the day B° (you know, sitting down, getting up to grab my food when I am working in from of my Desktop :p)

Making your way into the hood

Well, I found some interesting information when compiling the example app given with the zipped archive I found.

First of all, launching the app, it was not anymore possible to use the app :( the SDK seemed to limit the app usability to :

  • having your Android devices connected to Internet
  • having the “network time” inferior to a timestamp based barrier !

” Dam**** ” – I first thought but hey, I am “security researcher” – so grabbed the misfit-sdk-android.jar file and exploded it \o/

mkdir tmp ; cd tmp ; unzip ../misfit-sdk-android.jar

^ I am a rockstar

What tools did I used then ? * JD-GUI * JBE

JD-GUI : used to reverse engineered quick enough the library and look into the hood JBE : Well, rewrite the class to later simply do this (i.e.)

jar ufv ../misfit-sdk-android.jar com/misftiwearables/..../SDKSetting.class

Those two part were really funny to perform

Rewrite the world to conquer the universe

My way into the library was really informative. I found some fuc***** newbies errors in it. First, they assumed that everything was “proguarded” well enough (seriously dudes…). Secondly, “shut your a**** !?”, 0_0, you put hardcoded non-possible proguardable values into the code to check the current timestamp to this long value. Yikes!! And terrible to show self confid… – Hum not sure about this one

Those type of coding issue were present in few place in the library – very easy to find, easy to circumvent and easy to reinsert (go to jar uf)

Please note that I found a day later, a complete SDK without those coding garbages in it :p – this library was the one I will use for now !

Betrayed by the company

I looked into the Documentation and the SDK, ** I DID NOT FIND ANY INFORMATION ABOUT THE SLEEP INFORMATION /!\ **. Maybe it was beacause the SDK found was too old, I then checked on Internet and I was completely surprised to see THAT ALL SDK lacks of those information. Seriously Misfit ? You keep those lines for you.

I reversed engineered the app to look for those lines – B)

adb pull /data/app/com.misfitwearables.prometheus....
mkdir misfit_tmp ; misfit_tmp ; unzip ../com.misf.....apk 
dex2jar classes.dex
open classes_dex2jar.jar -a JD-GUI # look into the source
mkdir ../misfit_decompiled ; cd ../misfit_decompiled ; unzip ../misfit_tmp/classes_dex2jar.jar

I then cross checked the two jars. I saw that the proguard feature was not used the same way (some classes were not proguarded in the app)

I finally erased all the non useful packages from the misfit_decompiled folder (the open sourced libraries, sdks etc…)

and applied the magic formula

jar uf path_to_misfit.jar com

AND TADAAA !

I now have a completely useful SDK (well, after copied the libstlport_shared.so and libSleepAlgorithm.so libs to the libs/armeabi folders

Final thing, I kept the Version file from the archive I found … but replaced the content to 1.x-codlab

Tidy things up

All this is not cleaned as for now. So what is currently needed to do :

  • rewrite the current SDK Documentation provided by Misfit since even for the current SDK, the documentation pdf is outdated or wrong (wrong class names, missings methods, members) (1)
  • add the whole Sleep information capability into the new documentation
  • create a proper gradle implementation – 2015… Eclipse is at its Sunset in the Android Development branch regarding IntelliJ and Android Studio
  • Create a github project
  • bring the whole project into our real world
  • rewrite internal classes for more clarity and efficiencies

Conclusion

To all companies out there – When you have successful products, open them, open the way for people to contribute, it is worth the risk – does your competitor did things like me before me, YES, did they will continue, YES. I consider opening a SDK is the minimum thing to do in 2015. Any script kiddies can achieve what I just did during those few days

Note : I will never mention here how I completely reversed the current firmwares in the archive and that I am currently able to change the way the Misfit behaves (seems that I can’t do anything but 80% is the current limit, I think)

Nota bene

People, CEO, CTO, I don’t care – please… MAKE SOMETHING ABOUT THE SECURITY OF YOUR DEVICES ! I can sniff around in the bus/trains/… and dump every non-synchronized data from your devices to your smartphone without having any user behing aware that I am doing this !!!

Leave a Reply