Viber Communication Security - Bad Request
Viber Communication Security - Bad Request
Viber Communication Security - Bad Request
Create successful ePaper yourself
Turn your PDF publications into a flip-book with our unique Google optimized e-Paper software.
Experiments Chapter 3<br />
It does nothing more than making sure any value’s format should be 40 characters in total, where<br />
the only allowed characters are the (non-capital) letters ‘a’ through ‘f’ and all numbers. Assuming<br />
the hash in the str2 variable complies with this requirement, it is written to the corresponding<br />
configuration file and from now on used as the udid .<br />
The above theory has been tested to be valid. For example, when <strong>Viber</strong> is registered in an Android<br />
Virtual Device (avd) , which is nothing more than a way to emulate an Android device on a regular<br />
computer, the default imei of 000000000000000 for any avd is hashed into c02c705e98588f724ca046ac59cafece65501e<br />
1 static<br />
2 {<br />
3 [...]<br />
4 UDID = Pattern . compile ("[a-f0 -9]{40} ");<br />
5 [...]<br />
6 }<br />
Listing 4: UDID pattern in class com.viber.voip.util.Patterns<br />
We found another interesting method regarding the process of registration. This method is named<br />
generateSignature and the corresponding application code is shown in listing 5. Just like the earlier<br />
described method which generated a udid, the method we are describing in this paragraph is also<br />
just a small part of <strong>Viber</strong>’s entire registration process. The method is part of the generation of a<br />
device key based on an input string passed along to the method. This probably sounds similar to<br />
the udid we earlier described but in fact it is not. Instead, the device key is generated by the <strong>Viber</strong><br />
services and not at the client-side. When the registration process of a new <strong>Viber</strong> account is initiated,<br />
an SSL certificate is retrieved and used to communicate with a web server of the <strong>Viber</strong> services over<br />
http Secure (https) . The URLs for the registration process are present in the application code,<br />
shown in listing 6.<br />
1 private String generateSignature ( String paramString )<br />
2 throws Exception<br />
3 {<br />
4 SecretKeySpec localSecretKeySpec = new SecretKeySpec ("5<br />
eb6588086b6b2d054af80527b26caf71d165042175e0f9550ea58a8 ". getBytes () , "<br />
HmacSHA256 ");<br />
5 Mac localMac = Mac . getInstance (" HmacSHA256 ");<br />
6 localMac . init ( localSecretKeySpec );<br />
7 byte [] arrayOfByte = localMac . doFinal ( paramString . getBytes ());<br />
8 StringBuffer localStringBuffer = new StringBuffer ();<br />
9 int i = arrayOfByte . length ;<br />
10 for ( int j = 0; ; j ++)<br />
11 {<br />
12 if (j >= i)<br />
13 return localStringBuffer . toString ();<br />
14 localStringBuffer . append ( Integer . toHexString (256 + (0 xFF & arrayOfByte [j])).<br />
substring (1) );<br />
15 }<br />
16 }<br />
Listing 5: Method generateSignature in class<br />
com.viber.voip.registration.GenerateDeviceKeyManager<br />
29