Skip to content

fix(Spotify): Fix login by replacing Spoof signature patch with new Spoof package info patch #4794

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 6 commits into from
Apr 15, 2025
Merged

fix(Spotify): Fix login by replacing Spoof signature patch with new Spoof package info patch #4794

merged 6 commits into from
Apr 15, 2025

Conversation

oSumAtrIX
Copy link
Member

@oSumAtrIX oSumAtrIX commented Apr 15, 2025
edited
Loading

Spoofing the installer's name may or may not work. Currently testing. So far pretty much everyone reports it's working.

@oSumAtrIX oSumAtrIX marked this pull request as ready for review April 15, 2025 09:15
@cyberboh
Copy link
Contributor

I do not have login issue since beginning. Is this issue based region or their account choosen as an A/B tester?

@oSumAtrIX
Copy link
Member Author

Regional and account based A/B.

@LisoUseInAIKyrios
Copy link
Contributor

This fails with the legacy app target 8.6.98.900
Needs a small adjustment.

@oSumAtrIX oSumAtrIX marked this pull request as draft April 15, 2025 10:05
@LisoUseInAIKyrios LisoUseInAIKyrios marked this pull request as ready for review April 15, 2025 10:08
@oSumAtrIX
Copy link
Member Author

image

@LisoUseInAIKyrios This is much simpler

@oSumAtrIX
Copy link
Member Author

image

or just this

@LisoUseInAIKyrios
Copy link
Contributor

But that doesn't replace the installer package and the legacy app probably has the same issue as the latest app target.

@oSumAtrIX
Copy link
Member Author

oSumAtrIX commented Apr 15, 2025
edited
Loading

However IS_SPOTIFY_LEGACY_APP_TARGET may still not be enough. Later versions might still not have the installer name check. I am still not really conviced of the version checking practice we currently have in youtube or spotify. Its difficult to scale

@oSumAtrIX
Copy link
Member Author

oSumAtrIX commented Apr 15, 2025
edited
Loading

But that doesn't replace the installer package and the legacy app probably has the same issue as the latest app target.

The old versions dont have an installer name field in the requests they make. In fact the patch is redundant for old versions of Spotify:

image

Neither the signature nor the installer name are present.

@LisoUseInAIKyrios
Copy link
Contributor

IS_SPOTIFY_LEGACY_APP_TARGET works by checking for the main activity name, which will be stable unless Spotify changes the main activity again. There's always 1 main activity so there cannot be both old and new names present.

It would be really handy if apktool extracted the app version, but it doesn't so it requires clunky stuff like this.

@LisoUseInAIKyrios
Copy link
Contributor

If it's not sending the package name, then yes I think it can be simplified.

@Brosssh
Copy link
Contributor

Brosssh commented Apr 15, 2025

image
clienttoken request on recent app

@oSumAtrIX
Copy link
Member Author

IS_SPOTIFY_LEGACY_APP_TARGET works by checking for the main activity name, which will be stable unless Spotify changes the main activity again. There's always 1 main activity so there cannot be both old and new names present.

It would be really handy if apktool extracted the app version, but it doesn't so it requires clunky stuff like this.

Yes but the installer name might have been added after even if the new activity exists. You are assuming the installer name has been added to the request at the same time the activity has been renamed.

@oSumAtrIX
Copy link
Member Author

If it's not sending the package name, then yes I think it can be simplified.

I'll force push my commit. We can revert if somethings missing there.

@LisoUseInAIKyrios
Copy link
Contributor

For the legacy target, the installer does appear to be sent here. But I'm not sure if this code is reachable

AndroidClientReport.c() {
                String m = l2r.m(jg3Var.b.d()); // Installer package 
                n.copyOnWrite();
                AndroidClientReport.l((AndroidClientReport) n.instance, m);

@Brosssh
Copy link
Contributor

Brosssh commented Apr 15, 2025

Is it possible to mark this patch as not needed for version < 9? And mandatory for >= 9? 4f87180 is much cleaner imo

@oSumAtrIX
Copy link
Member Author

For the legacy target, the installer does appear to be sent here. But I'm not sure if this code is reachable

AndroidClientReport.c() {
                String m = l2r.m(jg3Var.b.d()); // Installer package 
                n.copyOnWrite();
                AndroidClientReport.l((AndroidClientReport) n.instance, m);

Apparently its missing in the clienttoken request, this also is the case for the unpatched app. I don't think we need to consider anything further than that.

@oSumAtrIX
Copy link
Member Author

Is it possible to mark this patch as not needed for version < 9? And mandatory for >= 9? 4f87180 is much cleaner imo

It can early return, but do we know if the installer name was really added exactly when 9 was introduced?

@LisoUseInAIKyrios
Copy link
Contributor

It can early return, but do we know if the installer name was really added exactly when 9 was introduced?

Slightly older versions of 9.0 are not important. The only versions that matter is the latest, and the single old legacy target.

@oSumAtrIX
Copy link
Member Author

It can early return, but do we know if the installer name was really added exactly when 9 was introduced?

Slightly older versions of 9.0 are not important. The only versions that matter is the latest, and the single old legacy target.

The patch does not break with checking the string on versions that "do not matter" and neither on the ones that matter. However with checking the activity, it'll break with the ones that "do not matter".

@LisoUseInAIKyrios
Copy link
Contributor

Can use two fingerprints (latest and legacy). They're small fingerprints and a little copy paste keeps it simple

@oSumAtrIX oSumAtrIX merged commit d639151 into dev Apr 15, 2025
1 check passed
@LisoUseInAIKyrios LisoUseInAIKyrios deleted the fix/spotify/login branch April 15, 2025 10:53
github-actions bot pushed a commit that referenced this pull request Apr 15, 2025
@semantic-release-bot
chore: Release v5.20.0-dev.7 [skip ci]
7b58010 
# [5.20.0-dev.7](v5.20.0-dev.6...v5.20.0-dev.7) (2025-04-15)

### Bug Fixes

* **Spotify:** Fix login by replacing `Spoof signature` patch with new `Spoof package info` patch ([#4794](#4794)) ([d639151](d639151))
github-actions bot pushed a commit that referenced this pull request Apr 15, 2025
@semantic-release-bot
chore: Release v5.20.0 [skip ci]
c5d1702 
# [5.20.0](v5.19.1...v5.20.0) (2025-04-15)

### Bug Fixes

* **Duolingo - Hide ads:**  Support lastest app release ([#4790](#4790)) ([215fccb](215fccb))
* **Spotify - Unlock Spotify Premium:** Remove premium restriction for 'Spotify Connect' ([#4782](#4782)) ([50f5b1a](50f5b1a))
* **Spotify:** Fix login by replacing `Spoof signature` patch with new `Spoof package info` patch ([#4794](#4794)) ([d639151](d639151))
* **YouTube - Remove background playback restrictions:** Restore PiP button functionality after screen is unlocked ([6837348](6837348))

### Features

* Add `Set target SDK version 34` patch (Disable edge-to-edge display) ([#4780](#4780)) ([dcf6178](dcf6178))
* **Spotify - Custom theme:** Add option to use unmodified player background gradient ([#4741](#4741)) ([0ee3693](0ee3693))
* **YouTube - Swipe controls:** Add option to change volume swipe sensitivity (step size) ([#4557](#4557)) ([8957325](8957325))
@LisoUseInAIKyrios LisoUseInAIKyrios linked an issue Apr 15, 2025 that may be closed by this pull request
bug: Spotify preventing log in with 14 day abroad warning #4788
Closed
3 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@cyberboh cyberboh cyberboh left review comments

@LisoUseInAIKyrios LisoUseInAIKyrios LisoUseInAIKyrios approved these changes

@Brosssh Brosssh Awaiting requested review from Brosssh

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

bug: Spotify preventing log in with 14 day abroad warning
4 participants
@oSumAtrIX @cyberboh @LisoUseInAIKyrios @Brosssh