for starters: authentication over a plain http, login in the request is “encrypted” with Caesar cipher, password is double MD5 of the original password (worth mentioning that app calculates MD5 of a hex string and not of a byte array second time, treating every hex digit as an ASCII byte; that’s because their MD5 function is only capable of returning hex strings)
what’s up with the response? it’s sent as base64 text, decoded data is AES-256 encrypted with a key = (a half of MD5 hash in form of a hex string + constant string (which is manufacturer name + 8 digits + two special characters)) and an IV = “1234567887654321”
you can’t make this shit up
and here it goes, i’ve spent a few hours on the first prototype and then delayed tidying up the source code for a few weeks because i’m an irresponsible human being without any sense of time and also because i forgot
anyway, here’s the link — lots of stuff still not implemented but i’ll keep going later
https://github.com/ezhevita/AkuvoxAPI