I have been reverse engineering an APK in order to create a Desktop client for an app (just for fun to improve my analytical/programming skills). I have, however, hit a snag. Most requests sent to the server have 3 very important headers:

X-Request-ID - Just a random UUID

X-Request-Info5 - JSON representation of request that has been Base64 encoded

X-Request-Sign5 - A SHA1 (HMAC) hash of the X-Request-Info5 header value with 01a6 prepended to it. I am trying to find the secret key used to generate this hash and came across this code:

https://i.stack.imgur.com/bzcLW.png

The dil.a().b((Context)localObject2, str2); snippet calls a function that looks like this:

https://i.stack.imgur.com/h07cs.png

The String a = dim.a(context); snippet gets the device_id from shared preferences, or generates a new one (for new devices) using a random UUID and stores it in shared preferences and returns the result. This is used as the slider-show-session header in requests but as seen from the code above it is also passed to the signWithToken method. The signWithToken method essentially calls a native method in one of the .so libs. I've decompiled them but the decompiler says that it cannot find an entry point and just allows me to see the strings inside the binary. I was trying to figure out what the signing function did so I could replicate it, but the native method that is actually called from Java: doCommandNative is nowhere to be seen in any of the .so files...

Any help from someone more advanced than myself would be great! It's been a great learning experience so far but I have hit this road block.