Edit 2: Well I’ll be damned. An extremely knowledgeable and kind stranger just reverse-engineered the whole thing and poured it into a python script. And it’s only Monday. See comments for the script.
Edit: Oh wow, this community is already on fire. Thanks for your advice everybody, I didn’t even think of intercepting the downloads in transit! Brilliant.
I will try to see how far I can get there, but that does sound much easier than rummaging around in iOS. Thank you all :)
Hello,
I’m trying to get the downloaded audio out of an iOS app, but I struggle because the information I can find is mostly rather old, needs some additional software I need to pay for, etc. The content is downloaded post installing the app, so simply accessing the IPA doesn’t help.
I have this app called naturespace (see naturespace.org), it’s an app that has really good recordings of rain, thunderstorms, etc. In my opinion those recordings are far better than anything I’ve heard so far.
Now, I did pay for the content, but the app hasn’t been updated for years now, and there’s also been no new content for years as well. I wrote to the owners but didn’t get any response. I guess you could consider it abandoned at this point.
Since I fear that anytime soon the app stops working, I’d like to save that content.
I’m a bit tech savvy, I can work with CLI and such, but I’m not a professional coder or hacker, any help is appreciated.
So I’ve reverse-engineered the naturespace Android APK and the files it downloads are definitely encrypted. They’re zip files (named as .nzp) that are XOR obfuscated with a rotating key every X amount of bytes. I haven’t quite worked out how the key rotates itself but I’m close. If I get it working I’ll put the details here and I can give you a Python script to grab whatever sounds you need.
Ha, I was just writing an update when your comment came.
I followed your advice and installed mitmproxy (basically fiddler2 but open source), which was easy enough, and managed to find that the app just posts GET requests the homepage, which result in a 302 Temporarily Moved, which ends on a public S3 folder.
The GET request includes some “ID”, which I’m not sure I should post publicly, maybe it might identify me? It’s like:
GET http://www.naturespace.com/ns5ios/?command=download&path=%2Fmedia%2Fmodules%2Fcom.HolographicAudioTheater.Naturespace.Aegir&lang=en&id=REDACTED&bvrs=5.15&sysv=16.5&model=iPhone&bid=com.HolographicAudioTheater.Naturespace&sys=iOS&loc=en_DE HTTP/1.1But yes, it seems the files are encrypted. I couldn’t find anything to open them, and no file identifier knows what it is. If you manage to get somewhere, that’d be awesome, my tech knowledge definitely ends here lol.
I guess it’s not actually illegal to post this, since it really is just a public folder, so if anyone els wants to look at it, here’s a file.