onyxbits / raccoon4

APK Downloader for Google Play
https://raccoon.onyxbits.de
Apache License 2.0
664 stars 94 forks source link

BadAuthentication on raccoon-4.18.0 #95

Closed edgarschuller closed 3 years ago

edgarschuller commented 3 years ago

Hi Im using raccoon-4.18.0. But im getting BadAuthentication error.

Also tried to recreate a new google account, but im having the same issue.

onyxbits commented 3 years ago

For support, please open a support ticket (Help|Support menu).

jpstotz commented 3 years ago

It looks like the authentication workaround using the special configured cipher suites has some limitations. I also encountered this problem even after allowing "Less Secure apps" in the Google account.

For future there may be an alternative way to fix such issues:

Looking at the traffic of latest Play Store app the authentication scheme has completely changed. Instead if the "Authorization", "GoogleLogin auth=" + token } header the app now uses as value "Bearer " + some base64 encoded data. This looks like standard oAuth authentication, if it really is standard oAuth then this would be an opportunity:

oAuth only requires password based authentication on the first time, afterwards you only need the authentication and refresh token. That would mean Raccoon could just use those tokens for authentication and even saving the password no longer be needed.

And for the first authentication it would be possible to use web-based authentication, e.g. by using an already installed web-browser or alternatively some WebView element integrated in Raccoon (unfortunately plain Java does seem to provide a WebView, only JavaFX or SWT does provide one). Then for initial login the same web page could be used that is used on an Android device to authenticate and get the oAuth token and afterwards the authentication would not be a problem anymore.

onyxbits commented 3 years ago

Looking at the traffic of latest Play Store app the authentication scheme has completely changed. Instead if the "Authorization", "GoogleLogin auth=" + token } header the app now uses as value "Bearer " + some base64 encoded data. This looks like standard oAuth authentication, if it really is standard oAuth then this would be an opportunity:

It is a standard oAuth2. The Base64 data is the old auth token.

The problem starts sooner though. The BadAuthentication error does not come from Play, but from Google's account manager.

And for the first authentication it would be possible to use web-based authentication, e.g. by using an already installed web-browser or alternatively some WebView element integrated in Raccoon.

AFAIR Google throws a giant piece of JavaScript at the browser that is suppose to do Bot detection. So nothing short of a real browser will work.

jpstotz commented 3 years ago

AFAIR Google throws a giant piece of JavaScript at the browser that is suppose to do Bot detection. So nothing short of a real browser will work.

I am aware that this login page performs contains a lot JavaScript. Therefore I suggested to use a WebView. From my perspective a WebView is a full-fledged web browser embedded as component into an application. I don't know how the JavaFX WebView works but the SWT version uses the built-in web browser of the OS. On Windows for example the IE engine or if installed the Edge WebView2 engine.

babyquin commented 3 years ago

is there any way to fix this problem?. thanks