New Aerogarden App -> new API?

[doctorkb]

I just received notice from Aerogarden today that they're launching a new app. Some of the older gardens (pre-2019) may not be compatible, which suggests to me they may be also revising the API.

Figured I'd let you know in case you didn't also receive the note.

More info here: https://aerogarden.com/learning/introducing-the-aerogarden-app.html

[dalinicus]

Hey, thanks for the heads up. I did see that.

We did just move over to the v4 api with 1.4.2 after the certificate expired on an older endpoint. So I'm guessing we should be good?

Just to be sure, I'll hook up the new app to a http proxy later tonight or this week and see if anything has changed.

[doctorkb]

Maybe we're in the clear, but this was concerning:

-- it seems that if your garden works with the old app, it won't work with the new, and vice versa.

[dalinicus]

I think what they actually mean by this is that the old app has been disabled and no longer works at all. Downloading the old app in a fresh emulator yields this message instead of the normal login.

[doctorkb]

That makes sense... I'm seeing that now, too.

Also, I'm on 1.4.2 in HACS, but it seems to have broken overnight. Reloading the integration doesn't fix it -- but the data is very clearly incorrect:

[dalinicus]

Yeah, it looks like app4.aerogarden.com is now returning old data, possibly when they cut over to the new system. There's a new endpoint at app5.aerogarden.com with a completely different api backend... but I can't seem to get a proxy in between the app and the API because the new app doesn't appear to use the system certs for validation. So I have no idea what the new calls look like.

I might need some help with someone that knows a bit more about android/ios development that might be able to figure out what calls its making so we can replicate it.

[doctorkb]

Sadly, I'm wondering if this isn't another Chamberlain MyQ situation...

[dalinicus]

honestly, same :(

[TheGAFF]

Disclaimer: AG janitor, these are my personal opinions:

• Using the APIs is A-OK as long as your network requests don't resemble a data-hungry monster and stick to what a typical mobile app user would do, will probably be blocked by heuristics otherwise
• The APIs aren't chained to just the app
• All newer apps by default don't let you proxy HTTPS traffic and ignore user added root certificates (ex. Fiddler ). It will need to be added to the system root certs (requires rooting your phone) or you will need to use an emulator to bypass that security feature
• There isn't an official public API, maybe some day

In other news, my Chamberlain garbage door is still disconnected from Google Home. 😭

[doctorkb]

Chamberlain garbage door is still disconnected from Google Home

Pardon me, sir, but have you heard of our lord and savior ratgdo? https://paulwieland.github.io/ratgdo/#order 🙂

[samuel]

The new app uses flutter. This post discusses someone getting around the certificate pinning on Android using Ghidra to patch the library: https://raphaeldenipotti.medium.com/bypassing-ssl-pinning-on-android-flutter-apps-with-ghidra-77b6e86b9476

I don't have time at the moment to try it, but throwing it out there in case someone wants to explore this option.