shape-ios

This repository contains a Rust implementation that reverse-engineers a security SDK used in iOS mobile apps. Shape Security, now part of F5, makes bot-detection and anti-fraud software that companies embed in their mobile applications. This project specifically looks at the version of that SDK found inside the Southwest Airlines iPhone app.

The SDK works by generating a set of custom HTTP headers that get attached to every request the app makes to Southwest's servers. Those headers carry device fingerprinting data and other signals that the backend uses to tell whether a request is coming from a real user on a real phone or from an automated script. The header values are computed by a combination of a JavaScript virtual machine, a Lua virtual machine with bytecode loaded from the server at startup, and native device information.

The researcher who built this project figured out how the encoding and encryption scheme behind one of those headers works. The specific header is the one labeled with the suffix -e, which carries a device fingerprint encrypted with a nonce-based cipher in the format b; followed by ciphertext and a nonce. The repository implements both directions: you can feed it an encoded header value and decode it back to readable data, or you can take plain data and encode it into the format the SDK would produce.

The tool is built with Rust and runs from the command line. You pass it the encrypted data string and the header prefix used for key derivation, and it outputs the decoded result. Encoding works the same way in reverse, requiring you to supply a random 32-byte nonce.

The README notes that the other headers, including those driven by the JavaScript and Lua virtual machines, are not yet implemented. This covers only the native SDK portion of the fingerprinting system.