Adapter for `firebaseinstallations.googleapis.com`

[baltpeter]

Endpoint URL: https://firebaseinstallations.googleapis.com/v1/projects/*/installations

Sample requests:

• worrying-confessions,40755
• informed-consent,563944
• do-they-track,81657
• ios-watching-you,33759
• monkey-april-2024,734
• monkey-july-2023,75503

[baltpeter]

Official documentation on the Firebase Installations API/SDK:

• https://firebase.google.com/docs/projects/manage-installations
• https://console.cloud.google.com/marketplace/product/google/firebaseinstallations.googleapis.com
• https://firebase.google.com/docs/reference/android/com/google/firebase/installations/FirebaseInstallations

[baltpeter]

The body has a fid parameter (e.g. "fid":"ejj4195USJykejcWxX3K3J"). That is the Firebase installation ID.

[baltpeter]

Urgh. In the new monkey run, we have a request where the body is not JSON but JS. -.-

https://data.tweasel.org/data/requests/monkey-april-2024,49780

{fid: 'eicruEJCM8UPXoL66P16PG', appId: '1:722550545529:android:82c62205f0ef0ea96608a8', authVersion: 'FIS_v2', sdkVersion: 'o:a:mlkit:1.0.0'}

But looking at the headers, it seems like that was sent manually by the app developer, not by the SDK, lol.

x-goog-api-key: AIzaSyCFwAkppu5iTGrHIwJWrCVELOrpKO6DDUg
content-type: application/json; charset=utf-8
content-length: 141
accept-encoding: gzip
user-agent: okhttp/3.12.13

[zner0L]

While testing the TrackHAR web UI, I found that the x-firebase-client header actually contains more information than just the SDK version. In a run I did with the co.gocrush app (HAR file of the run) it contained a base64-encoded and gzipped JSON, which also encoded the device name, a date, the os version and name, as well as the device model and manufacturer ([decoded in Cyberchef](https://cyberchef.bn.al/#recipe=From_Base64('A-Za-z0-9-_',true,false)Gunzip()JSON_Beautify('%20%20%20%20',false,false)&input=SDRzSUFBQUFBQUFBQUQyUTRZNkNNQkNFWDRYMHR5MmxFTTd6VmNTUWxhN1lXRnJTN2hrdnhuZV85UUJfN21UbjI5bDVpaXRDb2pNQ1pYRTRQZ1dNR0VnY0JBU2Jvck9TSUkxSU10dGJWOWFtdUxpRWtoS0VQTWRFWFZudFZhVk1jWXZrWGVCUnRjcFV4V1oySVJONGo2a3JGLWNRRTNhbDBXelNxLUx6UDhXbzcwVzREQk52MUVxcmVoRldHSi12QzR0M042QU1NREdHTV9YamZJMEItOGUtN2R0bTJWLVBBcmtZM3V3dlJsVWJDdnd2dVNHdkdjd0dQUE5IZkdHTWNmVDRpVDh6NUJJVDVfbElrd3RMRl96bDZwMmlSZC1WT1AyMHpRUEVUbGdnZkpjcGpEYU4xSzJzdERpOVRqdHh4NVE1RkxkcnhPc1BtWHZsWTNvQkFBQQ)):

{
    "heartbeats": [
        {
            "agent": "android-target-sdk/32 fire-transport/18.1.2 kotlin/1.6.21 android-installer/ fire-core/20.1.0 fire-cls/18.2.9 fire-fcm/23.0.3 fire-android/33 device-name/sdk_gphone_x86_64 fire-installations/17.0.1 fire-analytics/20.1.2 device-brand/google android-platform/ android-min-sdk/21 device-model/emu64xa",
            "dates": [
                "2024-06-10"
            ]
        }
    ],
    "version": "2"
}

[baltpeter]

More importantly, we'll need to filter out (#46) [H4sIAAAAAAAAAKtWykhNLCpJSk0sKVayio7VUSpLLSrOzM9TslIyUqoFAFyivEQfAAAA](https://cyberchef.bn.al/#recipe=From_Base64('A-Za-z0-9%2B/%3D',true,false)Gunzip()&input=SDRzSUFBQUFBQUFBQUt0V3lraE5MQ3BKU2swc0tWYXlpbzdWVVNwTExTck96TTlUc2xJeVVxb0ZBRnlpdkVRZkFBQUE) (and possibly others?).