intercepting cosmo

requirements

• android studio
• rootAVD
• magisk
• httptoolkit

create a device

1. install android studio and android SDK

yay -S android-studio android-sdk-platform-tools

2. run android-studio
3. open the virtual device manager
4. create a new device with the following settings

device:         pixel 8
API:            API 34 android 14.0
services:       google play store
system image:	recommended x86_64 image
default boot:	cold
camera:         none
graphics:       hardware acceleration

5. boot the device
6. open the play store and install cosmo

root the device

1. download rootAVD

git clone https://gitlab.com/newbit/rootAVD && cd rootAVD

2. run the script

./rootAVD.sh ~/Android/Sdk/system-images/android-34/google_apis_playstore/x86_64/ramdisk.img

3. restart the device (cold boot)

become a superuser

1. download magisk

curl -L https://github.com/topjohnwu/Magisk/releases/latest/download/app-release.apk -o magisk.apk

2. sideload magisk onto the device

adb install magisk.apk

3. open magisk on the device, then update and reboot if required
4. ask for root access

adb shell
su

5. switch to the superuser tab in the magisk app and grant permissions when prompted

monitor network traffic

1. install httptoolkit

yay -S httptoolkit

2. run httptoolkit and select Android Device via ADB
3. confirm access on the device, ensuring system trust is enabled
4. open cosmo and create an account
5. monitor traffic inside httptoolkit to find tokens
6. view a livestream to find api key located in a stream.io url

example responses

1. authentication

{
  "user": {
    "id": 123456,
    "email": "cosmo@mail.com",
    "address": "0x3xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx",
    "nickname": "cosmo",
    "guid": "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx"
  },
  "credentials": {
    "accessToken": "eyJxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx.xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx",
    "refreshToken": "eyJxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx.xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx.xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx"
  }
}

2. livestream

wss://video.stream-io-api.com/video/connect?api_key=XXXXXXXXXXXX&stream-auth-type=jwt&X-Stream-Client=stream-video-react_native-v1.24.0%7Cclient_bundle%3Dbrowser-esm"