Nissan Connect Updated API

So Nissan published new versions of their mobile apps for the Nissan LEAF, with upgraded security.
A-Good-Thing™.

But doing so, they added an unnecessary level of complexity on their API: the passwords sent by the mobile apps are now encrypted!

I battled most of the evening, trying to find how they encrypt the passwords, to be able to reproduce it, and I as finally able to! [1]

They encrypt the passwords using “Blowfish/ECB/PKCS5Padding”, and the key is a string returned by the API before the login API endpoint is used. That key seems to always be the same for now, but since they return it in an API response, I’m pretty sure the app will use that, and we should too.

Proof of concept in Java, PHP or Javascript, and a web service that takes a password in parameter, and outputs the encrypted password expected by the new Nissan Connect API.

Hooray!

I has now updated my Nissan Connect PHP Class and LEAF one-click mini site with that knowledge. [1] So how was I able to find that, you ask? Well, it wasn’t easy… I tried to enter many different passwords in the app, and checked what was actually sent to the server by the app, for each password. I noticed the password sent was:

  • Base-64 encoded;
  • Variable length, but always a multiple of 8 bytes (8 bytes for passwords less than 8 characters, 16 bytes for passwords less than 16 characters, etc.);
  • Always encrypted the same way, for all users.

So everything pointed to encryption, using padding, and a constant key (and salt). I tried many combinations manually, but couldn’t find an algorithm that resulted in the same encrypted string.

After about two hours, I had an idea: take the APK from my rooted Android phone, and try to look in there, if I could find what they used.

The tools I used:

  • Titanium Backup to backup the Nissan LEAF APK.
  • adb pull /sdcard/TitaniumBackup/*nissan* .
  • Rename the .apk into .zip, and extract it.
  • dex2jar to extract classes.dex into a .jar file.
  • Java Decompiler to browse the .jar

I found the login fragment, which referred to a Utilities class that contained all the encryption code. From there, I struggled for a bit because that class implements both Blowfish and EAS encryption, and I tried EAS first, and couldn’t make it work. Then I tried Blowfish, and it worked!

comments powered by Disqus