Researching the Google Trusted Contacts API

Post date: Dec 08, 2016 3:31:9 AM

Google released Trusted Contacts yesterday: a new application for sharing your location to friends and family in emergencies. However, it's available for Android only; I'm interested in viewing location on other platforms.

I downloaded an APK from APKMirror and disassembled it with apktool. Then I looked through the disassembled smali.

The application communicates to the server with gRPC at endpoint personalsafety-pa.googleapis.com:443. The requests must be authenticated with an OAuth2 token with scope https://www.googleapis.com/auth/personalsafety . The list of gRPC endpoints can be found at fmx.smali in the disassembled file.

I tried calling the google.internal.geo.personalsafety.v1.PersonalSafetyService/GetUserIncident method using the gRPC Polyglot tool and with an OAuth token obtained from the Google OAuth2 Playground tool; however, I immediately received an error:

PERMISSION_DENIED: Google Personal Safety Private API has not been used in project google.com:oauth-2-playground before or it is disabled. Enable it by visiting https://console.developers.google.com/apis/api/personalsafety-pa.googleapis.com/overview?project=google.com:oauth-2-playground then retry. If you enabled this API recently, wait a few minutes for the action to propagate to our systems and retry.

Unfortunately, since this is a private API (it's right there in the name), I can't enable it from the Developers Console. I guess the next step would be to use GPSOAuth to spoof an Android device to obtain a valid OAuth token. However, unlike a normal OAuth flow, the user would have to provide their password to spoof an Android device, which seems insecure.

Even though I wasn't able to connect to the API yet, I learned how to talk to a gRPC service, which will come in handy when interacting with other Google services.

If you want to try it out yourself, my gRPC Polyglot command line is on GitHub Gist.