Reverse engineering truecaller mobile app…. and making a bot out of the exposed APIs

So here’s the thing…. I really like the concept of knowing the contact info of an unknown number but hate the part where I give the whole dialer + contact_list + last_seen access to an app to publish it in a public database with questionable security.

Which lead me to creating this project.

> Getting the endpoints from truecaller web-app

After logging into the web-app the tc server generates a session token which is used to AUTH subsequent requests.

The problem I ran into was that truecaller only allows the lookup of 10 numbers/day on its website. For anything more than this you have to use their mobile app. So onto the next step….. breaking their andorid app.

> Reverse engineering the android app

We can use tools like burpsuite proxy to intercept normal requests on any device (android, iOS etc.) by just installing a custom ca certificate onto the device to trust and routing all the traffic through the proxy.

Here’s how to do it with burp.

But modern apps use something called SSl-pinning. This allows them to use their own ssl certificate store instead of trusting the device’s own certificates.

Detailed writeup here.

So if we want to intercept network requests of an SSL pinned app we must first find a way to disable it or add our own certificate to the app’s trusted cert store. This involves roughly these steps ->

  • Decompile the app using apk-tool to generate smali code for the app.
  • Remove all the certificate verification checks from the code (actually hard depending on implementation)
  • Recompile the app and sign it.

Luckily shroudedcode has made an awesome cli app to do just that.

This method may or may not work depending on the app’s version as its implementation of ssl-pinning may differ from what apk-mitm aims to patch. I reccomend trying out any older version of the app if the tool fails on the newer one.

Another frequently used technique used by app-sec professionals is frida. Which is described best as greasy monkey for andorid apps. If you don’t have a rooted device for frida runtime. You can use a sub-framework called objection to embed frida runtime in the app itself.

Last technique to disable cert-pinning, which is also my favorite one so far is using good old xposed framework with justtrustme module. This disables ssl-pinning across the board for the whole device.

Setting up environment ->

I went with bluestacks instead of avdmanager because it didn’t want the bloat(android studio) that comes with it.

After installing bluestacks, I recommend this tool to root the vm and install xposed framework on it with minimal hassle.

After doing that, use oxyproxy to proxy to our burpsuite machine. and install the burpsuite ca certificate using this app. After doing all of that just install the truecaller app on your vm and you are ready for some interception.

I used a fake mobile number from some sketch sms-recieve site to register for the app.

Also, If for some reason the verification fails and you are blocked for x amount of hours before retrying, just change the android-id and imei fom the bluestacks-tweaker’s device section.

This is the request that the app sends to log in a user ->

Once successful it returns a session token which is valid till you logout of the app.

Now when you try to search for a number it generates this request ->

This returns a json response with plethora of information. Everything form public email addresses to profile pics to social media links.

Mission successful ! now all we gotta do is replicate this request and give it a better front end.

Making a telegram bot out of it ->

Wrapping all of this up I replicated this request in go and used this library to make a telegram bot out of it.

Here’s the github gist for the same. Just replace the session token and bot auth token with your session token and bot token and you are good to go.

Some notes ->

  • Officially tc limits the free accounts to 100 lookups a month, but I was able to do much more than that. IDK how…
  • I am just marshalling the json responses into a string, and pretty-printing to the telegram chat {too lazy to make gigaton of structs and massaging the json o/p)