7-Eleven Fuel App set to be relaunched as My 7 Eleven

[showdownhero]

Obviously the fuel app is down at the moment. Based on their comment on this Facebook post they will be creating a new app called my 7 eleven.

https://www.facebook.com/132945996743236/posts/3034321299939010/?d=n

Just thought I’d give everyone a heads up

[micyew]

The new My 7 Eleven is up...

Obviously we can't lock fuel now....I try to change the APP_VERSION in settings.py to "2.0.0.10867". I was able to login and lock the fuel..But the fuel docket didn't show up in my iphone new My7Eleven app...

[micyew]

I think they tie the fuel docket/offers to the 711 card rather than the account as in previous version....

[alvinnguyen]

@micyew, does the Fuel Price Lock tab in the app show the locked price? If yes then I think it's still working?

[micyew]

Nope....Previous version have this button "Show Voucher". Now no more. I can lock the price with this app.py after changing the version in settings.py. Everything good. But it just shows nothing in the new My7Eleven app. Something must have change in the backend. Maybe different database..?

[LynnAU]

has anybody gone through the app with wireshark running? i'd imagine some of the api endpoints or the host itself may have changed

[PinkyJie]

@LynnAU It seems the new app uses SSL Pinning, I used another proxy tool (https://github.com/alibaba/anyproxy) trying to inspect the requests, failed... It appears it only respected the SSL certificate issued by themselves.

[LynnAU]

@PinkyJie that's going to be annoying, we'll have to pull the cert out from the app (if it even includes it that is). i'll take a look at it tonight and see if we can decompile the apk or something

[micyew]

Getting more and more difficult to crack.....

[freyta]

Just a quick snoop of a fuel lock request, it loads this URL https://app.api.7eleven.com.au/api/Stores/NearbyFuel?fuel=PULP98&lat=-37.782531&lon=144.943449 and these are the headers:
x-device-os: Android
x-device-os-version: Android: 9 - P (SDK 28)
x-device-build-version: 2.0.0
x-device-identifier: A0001
x-device-uuid: 6f4ba054-****-****-****-************
x-tz-offset: 36000
Date: Wed, 17 Jun 2020 05:28:15 GMT
x-attestation-token:
Authorization: Bearer *snipsnip*
signature: *removed*

And then with that json response it has a list of your 5 closest stores, a hash & timestamp to send on (UTC time it looks like), and your fuel type. For example (store details removed):
{"stores":{["storeId":"1001",
"name":"7-Eleven Oakleigh",
"coordinates":{},
"location":[],
"address":{},
"phone":"",
"openingHoursList":[],
"specialOpeningHours":[],
"allHours":true,
"isActive":true,
"isFuelStore":true,
"hasKiosk":false,
"features":[],
"fuelOptions":[],
"atm":true}],
"fuel":"PULP98",
"time":"2020-01-01T00:00:00.0000000Z",
"hash":"HMrd******************************/ZVRUsYrs"}

And then it uses the stores list, the timestamp, hash and the fuel type redirects to https://app.api.7eleven.com.au/api/Fuel/BestPrice?fuel=PULP98&stores=1001,1002,1003,1004,1005&time=2020-01-01T00:00:00.0000000Z&hash=HMrd******************************/ZVRUsYrs which then responds with:

{"storeId":"1336","storeName":"Wantirna","storeLatitude":-37.903332,"storeLongitude":145.085953,"ean":"56","fuelType":"PULP98","updated":"2020-06-16T19:33:00Z","price":1419,"time":"2020-01-01T00:00:00.0000000Z","hash":"IdlLV/******************************/U"}

---

That's all I'm gonna do for now. I've removed some identifying things.

[yifanfu]

@freyta Out of curiosity, how did you get the response contents with SSL pinning enabled?

[Motordom]

There's a few ways to bypass, I use ssl-kill-switch2 on iOS, there's similar for Android I presume (not sure what Freyta used)

[peter-kerr1]

How much work would it be to update the python script to interact with the new app?

[SongGithub]

Just a quick snoop of a fuel lock request, it loads this URL https://app.api.7eleven.com.au/api/Stores/NearbyFuel?fuel=PULP98&lat=-37.782531&lon=144.943449

I think as long as coordinate (lat) can be overridden with a "desirable" one this app is feeding in, the app will be working correctly with new API.

not sure if there is any TLS comm issue with the new API though.

[gyrex]

Firstly, I just want to thank @freyta for this wonderful project. I was just wondering if there's been any progress with getting this working with the new app/process?