Lime juicer api

[Mradmedamine]

Hello guys, Where is the juicer api ? there is only the rider's one. How could you intercept the requests. I tried to do this with several tools but I couldn't explore fully the requests it seems protected or sthg ..

The client failed to negotiate an SSL connection to web-production.lime.bike:443: Remote host closed connection during handshake

Does lime app have SSL pinning ? Please help !!

[ubahnverleih]

Hi, Sorry this is a project focused on the positions of bikes/scooters. These APIs are collected by many volunteer contributers. So obviously until now no one of them was interested in reverse engineering the juicer API. We love to get issues with requests for new services or APIs to look at, but it does not help to spam other, completely unrelated issues. Begging for help with dozens of exclamation marks in different issues is not the best motivation for volunteers.

I guess one issue with this ist, that you need to have a special juicer account reverse engineer this API. I don't know how hard it is to get such an account.

[johnnyh0826]

Where can i get the Lime rider API

[bransonf]

@johnnyh0826 https://github.com/ubahnverleih/WoBike/blob/master/Lime.md

[W1MMER]

The URL for finding juicable scooters is https://juicer.lime.bike/api/rider/v2/juicer/views/main

[kltye]

The URL for finding juicable scooters is https://juicer.lime.bike/api/rider/v2/juicer/views/main

Hi, can I ask how you guys are reverse engineering the API? Lime appears to use HSTS, so any cert bypasses seem impossible.

EDIT: I have a juicer account, so I'd be happy to help to figure this out. EDIT 2: Nevermind, I see that mitim'ing in iOS is a lot easier. Fortunately I have an iPad and managed to sniff what I needed.

[W1MMER]

Make sure that this is one of your Params:

Filter = %2A

Otherwise the API won't return any scooter locations.

EDIT: This is the link to the documentation for the Lime Juicer API HERE

[kltye]

Make sure that this is one of your Params:

Filter = %2A

Otherwise the API won't return any scooter locations.

Thanks! I managed to sniff the traffic with mitmproxy. I was going down the Android path of injecting certs with frida, etc - not knowing that that isn't necessary with iOS devices.

[W1MMER]

Make sure that this is one of your Params:

Filter = %2A

Otherwise the API won't return any scooter locations.

Thanks! I managed to sniff the traffic with mitmproxy. I was going down the Android path of injecting certs with frida, etc - not knowing that that isn't necessary with iOS devices.

That's fine! I'm an iOS user and had no idea that Lime implemented SSL Pinning on their Android App. I have SSL Kill Switch installed onto my old jailbroken iPhone 6, so I use that when an app has implemented SSL pinning.