m.handelsbanken.se being closed

[kanflo]

Handelsbanken are closing their mobile site "soon" as they say. Is there any plans for migrating to their API. @liato : I have seen that you started looking into their API some time ago, any progress?

[liato]

@kanflo I was asked by Handelsbanken not to use their api. I guess we'll have to if they're closing down their site.

[liato]

The site is closed now so we'll have to start with the new implementation soon.

[goober]

I do not have any access to an account at Handelsbanken anymore. How about you @liato ?

[Gyran]

I have Handelsbanken. I've tried to remove their certificate pinning in their app but haven't been successful. If someone can help me remove the certificate pinning I can help with their new API.

[liato]

@goober I've got an account. Haven't had much time to take a deeper look at the app yet but this is what I've found so far:

• They're using certificate pinning
• JNI is used to generate a key from the users pin code when logging in/signing... i think
• First login from a new device requires signing with a code from a card reader or a "kodkort"

Not sure how much the api has changed since I last took a look at it: http://blog.nullbyte.eu/the-new-handelsbanken-api/

[gust42]

The app Tink is still working with Handelsbanken, any chance of some help from them you think?

[liato]

@gust42: I wouldn't bet on it.

[ellmkay]

Has there been any further progress on this, and is there something that could be done to assist the development?

@liato, you said they are using certificate pinning, have you been able to bypass this and snoop the actual traffic?

If not, I could give it a shot, I found this guide, and figure it could be worth a try.

[liato]

@ellmkay: No success yet, as soon as you modify the apk or try running it on an emulator the (libTfaAndroid.so module in the) app segfaults.

I don't have a spare phone that I can root at the moment otherwise I would have tried https://github.com/iSECPartners/Android-SSL-TrustKiller

[anoyance]

Why not do the Tink way. Use their API and one time do a sign with the card reader. After that the code can be used from that device.

Ny inloggningsmetod med Handelsbanken Nyligen ändrade Handelsbanken så att man inte längre kan använda sin personliga kod vid förenklad inloggning. Det här gör att vi inte kan uppdatera ditt konto som tidigare. För att komma igång igen skulle vi vilja be dig om att göra en uppdatering. Det du behöver ha tillgängligt är din kortläsare, inloggningskort och inloggningskod till den. Det här behöver du göra:

1. Se till att du har senaste versionen av Tinkappen.
2. I appen går du till Inställningar - Anslutna Tjänster.
3. Välj ditt Handelsbanken konto.
4. Klicka på Status.
5. Kolla att ditt personnummer är rätt och fyll i din personliga kod (som i mobilappen och för telefonbanken) och tryck på Anslut.
6. Tink skapar nu en kontrollkod.
7. Ta fram din kortläsare, sätt i inloggninskortet och tryck på knappen SIGN. Skriv därefter in kontrollkoden du ser i Tink i kortläsaren, tryck OK och skriv in din inloggninskod till kortläsaren.
8. Din kortläsare skapar nu en svarskod som du skriver in i Tink.
9. Tryck på Anslut så ska du vara igång igen med automatiska uppdateringar. Har du frågor kan du alltid höra av dig till oss på support@tink.se. Vänligen, Fredrik Hedberg, CTO och grundare

[ellmkay]

If Tink are willing to share how the signing process works, that would be great. I looked into this a couple of weeks ago, and the API is really easy to figure out (the APK does not do any kind of obfuscation). However, the signing process is done by libTfa, and I tried looking at that using Hex-Rays decompiler, but it didn't work out well. Either they've obfuscated the NDK module, or else Hex-Rays wasn't able to correctly decompile it.

I didn't try running it on a rooted device yet, but that might be a way forward as well.

[JakeHedman]

Maybe this could be uses instead? https://developer.handelsbanken.com/products/#account