Even though manual extraction is not necessarily difficult, I tried automating the whole process in PowerShell. The script contained in this directory automatically downloads the rewe apk from uptodown, extracts the certificate from it and splits the certificate into pem and key. It has some commandline-options (including the ability to just extract pem and key from a manually obtained pfx) described in #usage.
Caution
The PS script opens the apk in memory as a zip archive to extract the pfx from it. Windows Defender does not seem to like this very much.
In a powershell-window, run this one-liner, that clones the repo, temporarily sets the execution policy and executes the script.
git clone https://github.com/ByteSizedMarius/rewerse-engineering; Push-Location .\rewerse-engineering\docs; Set-ExecutionPolicy Bypass -Scope Process -Force; .\rewerse-engineering.ps1; Pop-LocationYou can also quite easily extract the pfx manually.
- Download the apk. Version does not really matter. However, pay attention to which download button you click, as many of these sites have been introducing dark patterns to get you to install their store instead.
- Rename the file from
.apkor.apkxto.zipand open the zip.- If you had an
apkx-file: Copyde.rewe.app.mobile.apkout of the zip and redo step 2 with this apk.
- If you had an
- Navigate to
/res/raw, where you will find themtls_prod.pfx. Copy it out of the zip. - Extract key and pem from the
.pfx.- Using the PowerShell-script:
./rewerse-engineering -PfxPath "/path/to/.pfx/" - Or Torbens openssl commands
- Using the PowerShell-script:
.\rewerse-engineering.ps1- Optional: Provide a working directory (
-WorkingDirectory <Path>); if not provided, the current working-directory is used - Optional: Provide the apk-file to use (
-ApkFile <Path>); if not provided:- the working directory is searched for an apk file
- if not found, rewe apk ver. 5.7.3 is downloaded from uptodown.net
- Optional: Just extract key/pem from
mtls_prod.pfxin current WorkingDirectory (-Pfx) - Optional: Just extract key/pem from pfx at path (
-PfxPath <Path>) - Optional: Just download the apk to the current working directory (
-Dl). Note: File ending is always .apk, even when it is an xapk.
Apk versions tested with the script:
| version | tested |
|---|---|
| 5.7.3 | ✅ |
| 4.1.0 | ✅ |
| 4.0.3 | ✅ |
| 4.0.2 | ✅ |
| 3.21.4 | ✅ |
| 3.20.0 | ✅ |
| 3.19.3 | ✅ |
| 3.18.6 | ✅ |
| 3.18.5 | ✅ |
| 3.18.4 | ✅ |
| 3.18.3 | ✅ |
| 3.18.2 | ✅ |
| 3.18.1 | ✅ |
| 3.18.0 | ✅ |
| 3.17.5 | ✅ |
| 3.16.6 | ✅ |
| 3.16.5 | ✅ |
| 3.16.2 | ✅ |
Notes:
- Torben also has a python helper for extracting the cert that's a bit less overengineered
- Starting with v3.19, the app now seems to be packaged as an xapk, which means the apk containing the certificate is nested. This requires unzipping twice
- The pfx bundled with the apk seems to be an old format (RC2-40-CBC) and may not be supported everywhere. You may have to convert it to a newer format if you are experiencing strange issues (ask me how I know)