# AWS Signature V4 Implementation Analysis

## Key Findings

### 1. Token Inject Interceptor (`g9/w.java`)
**Class**: `g9.w implements uq.w` (OkHttp Interceptor)

**Functionality**:
```java
public uq.d0 intercept(w.a chain) {
    uq.b0 g10 = chain.g();
    String a10 = this.f19301a.a(); // Gets token from session (g9.d)
    if (!(a10 == null || a10.length() == 0)) {
        g10 = g10.h().m("Authorization", "Bearer " + a10).b();
    }
    return chain.b(g10);
}
```

**What it does**:
- Takes token from user session (`g9.d`)
- Adds `Authorization: Bearer <token>` header
- **This is USER authentication, NOT app-level!**

### 2. AWS Signature V4 Implementation (`o6` package)

**Key Classes**:
- `o6.m` - Applies signature to request
- `o6.k` - Credential scope builder
- `o6.l` - AWS signing logic
- `o6.n` - String to sign generator

**Signature Format** (`o6/m.java` line 37):
```
Authorization: AWS4-HMAC-SHA256 Credential=<scope>, SignedHeaders=<headers>, Signature=<hex>
```

**Headers Added**:
- `X-Amz-Algorithm`: AWS4-HMAC-SHA256
- `X-Amz-Credential`: Access key + scope
- `X-Amz-Content-Sha256`: Body hash
- `X-Amz-Date`: ISO 8601 timestamp
- `X-Amz-Security-Token`: Session token (if present)
- `X-Amz-SignedHeaders`: List of signed headers
- `X-Amz-Signature`: The actual signature

### 3. Why Your Token Doesn't Work

**The Problem**:
1. OAuth token (`cpc-appcheck-android`) is for **app attestation** only
2. `g9.w` interceptor requires a **USER session token** (from `g9.d.a()`)
3. AWS APIs may ALSO require signature if direct API Gateway access

**Two Authentication Layers**:
1. **User Auth**: `Authorization: Bearer <user_token>` (from login)
2. **AWS Signature**: AWS4-HMAC-SHA256 (if direct API Gateway access)

### 4. Root Detection

**Found**: `com.google.firebase.crashlytics.internal.common.CommonUtils.isRooted()`
- Line 322 in CommonUtils.java
- Used for Firebase Crashlytics telemetry
- **NOT for blocking functionality**

### 5. SSL Pinning

**Found**: `okhttp3.CertificatePinner`
- Default implementation: `CertificatePinner.DEFAULT` (no pinning)
- Can be configured in OkHttpClient builder
- Need to check if app configures custom pinning

## Next Steps

### To Access APIs:
1. **Get user session token** (requires username/password login)
2. Hook `g9.d.a()` to see what real user tokens look like
3. Check if AWS signature is actually used for these endpoints

### To Bypass Security:
1. **Frida Hook `g9.w.intercept()`** - Inject custom tokens
2. **Hook `g9.d.a()`** - Return fake session tokens
3. **Hook SSL Pinning** - If configured (need to verify)
4. **Hook Root Detection** - If it blocks anything (unlikely, just telemetry)

## Code References

| Component | File | Description |
|-----------|------|-------------|
| Token Interceptor | `g9/w.java` | Adds Bearer token from session |
| Session Manager | `g9/d.java` | Stores user session token |
| AWS Signer | `o6/m.java` | Applies AWS Signature V4 |
| AWS Config | `o6/e.java` | Signing configuration |
| Root Check | `com/google/firebase/.../CommonUtils.java` | Firebase telemetry |
| SSL Pinning | `okhttp3/CertificatePinner.java` | Certificate validation |

## Attack Surface

### High Priority:
- [ ] Hook `g9.d.a()` to capture real user tokens
- [ ] Test if user login returns different token type
- [ ] Check if AWS signature is actually validated

### Medium Priority:
- [ ] Check for certificate pinning configuration
- [ ] Test anonymous tracking (no auth needed?)
- [ ] Reverse engineer login flow

### Low Priority:
- [ ] Bypass root detection (probably doesn't block)
- [ ] Test emulator detection