Advice Needed on Where To Start?

[blueelvis]

Hello Sysnative ^_^,

Few students in our university released an android app for checking the attendance. The attendance is available at a link where we need to login and there is a captcha as well. Now, once we are logged in, the main page opens and then from there we need to select the Attendance Page from the dropdown list. Once the link is opened, the Attendance is shown on a next page. So, I was wondering how is the app made? The app consists of a simple login and the same captcha from the original page and then it shows the attendance.
So, my questions is How all this data connects with each other, flows and where should I start for building such applications. Can such applications be made in C# for Windows as well?


Regards,
Pranav

 

[x BlueRobot]

Have you asked which language(s) and framework they're using?

I suppose you could write it with C# and ASP.NET, but I'm not a programmer, and therefore not entirely sure about this. It sounds like some server-side script with a UI thrown on top.

 

[blueelvis]

Have you asked which language(s) and framework they're using?

I suppose you could write it with C# and ASP.NET, but I'm not a programmer, and therefore not entirely sure about this. It sounds like some server-side script with a UI thrown on top.

They won't tell me <_<

The attendance portal is hosted by our university. I don't think they could have got access to the database directly from the college. Any other ideas?

 

[wmorri]

I am guessing that they wrote it with either ASP.NET or PHP/MySQL. I hope that they used php/mysql, because to me that is just easier and plays with android a lot better. I find it kinda dumb that they won't even let you know what language they wrote it in. I guess they don't know that a copy is the finest form of flattery. As for the database being hosted by your uni, I imagine that they could have had access to part of it. You can give access to certain tables in a database. I can try and help you a little bit more but honestly this is a pretty big project for one person to take on.

 

[blueelvis]

Yups, it is flattery but I am not planning on doing a copy or anything like that. I am simply interested in learning on how the things are working behind the scenes. Is there any other method which could allow them to grab the data without accessing the Database


-Pranav

 

[wmorri]

No they need access to the database to do all of the attendance, unless they were given a copy of the database, but I doubt that they were just given that.

 

[blueelvis]

No they need access to the database to do all of the attendance, unless they were given a copy of the database, but I doubt that they were just given that.

A copy of the database is not feasible because the attendance records change everyday and even during the day. Add to that the overhead of downloading and then updating the original database as well.
I will see if I can ask a member of their team to get more details.
Thanks ^_^

 

[Laxer]

I doubt they got access/copy of the database as there are lots of redlines they would have to cross.

I imagine they wrote some type of API that just masks some underlying site.

Most people I know who develop for android use java. They could however have done a site in .Net/PHP/etc and just hid it in a browser in an android app.

 

[blueelvis]

I doubt they got access/copy of the database as there are lots of redlines they would have to cross.

I imagine they wrote some type of API that just masks some underlying site.

Most people I know who develop for android use java. They could however have done a site in .Net/PHP/etc and just hid it in a browser in an android app.

Yup, this is what I was thinking that there are too many lines they would need to cross.

Is that possible to do this kind of technique? : O
Could you please provide me with more details?

-Pranav

 

[Laxer]

I can but I'm at my parents until Friday so away from any coding examples I may have.

Quick Google search: A Beginner's Tutorial for Understanding and Implementing ASP.NET Web API - CodeProject

 

[blueelvis]

Don't worry. Enjoy the holidays with your parents :)

I will take a look at that. Seems interesting!

 

[tom982]

I'm with Geoff here, I think a private API is a lot more likely. Capture web traffic with Wireshark and see if you can spot how your phone is connecting to the server - the API might be fairly obvious and you can build a quick program to use it. I'd also recommend capturing traffic accessing it through your browser because it can't hurt to have too much information and it might give you clues - e.g. if the captcha is something as simple as posting authenticated=1 as a parameter then this becomes a lot more simple!

Alternatively, reverse engineer the app and look through the code (never actually done this for android apps, but it doesn't seem too hard) : https://code.google.com/p/android-apktool/

 

[blueelvis]

I'm with Geoff here, I think a private API is a lot more likely. Capture web traffic with Wireshark and see if you can spot how your phone is connecting to the server - the API might be fairly obvious and you can build a quick program to use it. I'd also recommend capturing traffic accessing it through your browser because it can't hurt to have too much information and it might give you clues - e.g. if the captcha is something as simple as posting authenticated=1 as a parameter then this becomes a lot more simple!

Alternatively, reverse engineer the app and look through the code (never actually done this for android apps, but it doesn't seem too hard) : https://code.google.com/p/android-apktool/

Would Wireshark capture the traffic if I run the app on my mobile and both my laptop and mobile are connected to the same network?

Regarding the reverse engineering, that is a really good option. I will try it and post back on how it goes.

Merry Christmas Tom and Geoff ^_^

-Pranav

 

[tom982]

Yeah it should do. It might be an encrypted connection in which case you might have to use something like mitmproxy: https://mitmproxy.org/doc/certinstall/android.html. I've used it for my iPhone before and it's brilliant - bit fiddly to setup though!

Good luck and Merry Christmas to you too!

Tom

 

[blueelvis]

Geoff you were right about the wrapper. I checked out the code and it seems like yes they are using the Wrapper classes. They are simply showing the webpage in a different manner and generating the captcha using the university's captcha module and then opening the sockets.
Once you are back and free, I hope you could provide me much clear explanation of this and if this could be achieved in normal C# apps as well?


Thanks!

-Pranav