8

I'm building a web app to help Airbnb hosts manage their listings. I want to be notified of new reservation instead of pinging Airbnb's servers every few minutes. Airbnb's API doesn't have a way to push data to a server so I thought maybe I could emulate a device and receive push notifications.

Is this possible to emulate a device and receive push notifications in nodejs?

Update

Looks like the iOS app registers for push notifications at the following address:

https://api.airbnb.com/v2/air_notification_devices

with the following data:

{
    "app_version": "19.08",
    "device_type": "iphone_gcm",
    "device_id": "{{DEVICE_ID}}",
    "token": "{{TOKEN}}",
    "enabled": true
}

and with the following cookie:

SRVID=mofi-production-12ab3c456-7defg_172.21.128.38:32350

and returns:

{
    "air_notification_device": {
        "app_version": "19.08",
        "created_at": "2019-03-01T16:27:13Z",
        "device_id": "{{DEVICE_ID}}",
        "device_type": "iphone_gcm",
        "enabled": true,
        "id":{{ID}},
        "locale": "en",
        "token": "{{DIFFERNT_TOKEN}}",
        "updated_at": "2019-03-01T16:27:13Z",
        "user_id": {{USER_ID}}
    },
    "metadata": {}
}
Community
  • 1
  • 1
Dev01
  • 13,292
  • 19
  • 70
  • 124
  • Are you sure that devices have a way to receive data in this way and aren't doing polling? – zero298 Feb 28 '19 at 20:55
  • @zero298 yes, I’m pretty sure they are using push notifications. I don’t think polling works for apps because apps can’t really run in the background reliably. – Dev01 Mar 01 '19 at 01:42
  • This is interesting, though I wonder about the security aspect of maintaining access between your node.js server and AirBnB. You'll need to be authorized as the user, generally through OAuth. After access expires, how will you reestablish without the user? Also, AirBnB's blurb about their api mentions they'll send their api partners a message with reservation details: "As Airbnb guests book your listings, we’ll pass back messaging and reservation details, allowing applications to build custom workflows and create amazing experiences for our shared guests." Is this not the case? – willascend Mar 01 '19 at 04:13
  • I'm realizing that quote is likely via a synchronous reservation api, where the reservation occurred through an api invocation on your behalf and they're sending you the details. This doesn't help you if you're interested in being notified or aware of reservations that occur outside of your application. – willascend Mar 01 '19 at 04:17
  • Based on device_type it can be older version: https://developers.google.com/cloud-messaging/ Or only old name. It's best to capture the notification. – bato3 Mar 01 '19 at 21:15
  • @bato3 I forgot to mention when I use the man in the middle attack I don't see any data when the device receives a push notification. Not sure why. Downloading an android emulator now... – Dev01 Mar 01 '19 at 22:58
  • are you listen for all trafic or only http? BTW in cookie is `172.21.128.38` It's your? If not, that cookie be *gatway cookie* – bato3 Mar 02 '19 at 11:55
  • @bato3 that IP address is not mine.I checked out whenI was writing the update.What's a Gateway cookie? – Dev01 Mar 02 '19 at 16:42
  • This is one of the techniques for permanent assigning you to a server in the cluster. You can say: session for the gate – bato3 Mar 02 '19 at 17:03

1 Answers1

9

TL;DR: Yes you can, but without knowledge from receive these notifications you will not do much.

You must look for how the application registers for notifications. As you have the documentation, look for how to sign up for notifications.

BTW: Airbnb has push notification in browser? If so, I would be more interested in this than it was starting to debug the android application.

Without an official API, you'll have a good dose of reverse engineering, but 90% of them used there is FCM from google.

On a publicly available website in English they write only about OAuth2 and updates,but in my language I have:

What can I do with the Airbnb API?

The API allows teams of developers to conduct secure authorization on new and existing Airbnb accounts. Users of your application will have the option of receiving push notifications about content updates, rates and availability. Once Airbnb guests have booked your offer, we will pass on your booking information and details, allowing applications to create your own data flow and deliver amazing experiences to our common guests.

It's worth starting by installing the phone emulator, listen on all network communication and installing the application. But it will not be easy, because you have to do a Man in the middle attack for HTTPS communication.

The option is to decompile the official application and search in the code.

First you need to discover the service used for notifications. If this is FCM, then the process looks like this:

  • The application generates unique token identifying the application instance

  • The application sends this token to Airbnb to sign up for notifications

And I could not find a client in Node that would subscribe to notifications but here is Web (JS), so it is possible. (Again reverse engineering)

There is some about XMPP server receive upstream messages, but better write small app in C++ / Unity which will further forward notifications to Node eg via websocket.

bato3
  • 2,695
  • 1
  • 18
  • 26
  • Thanks! I already have the man in the middle setup and can see the contents of the https traffic. I've been looking at the traffic between the ios app and their servers but maybe I should be looking at android? Can I tell if it's FCM from the app requests? – Dev01 Mar 01 '19 at 16:21
  • I found this which I could use to receive the notifications, right? https://github.com/MatthieuLemoine/push-receiver#readme – Dev01 Mar 01 '19 at 16:38
  • I updated my question with some data from the push notification registration – Dev01 Mar 01 '19 at 18:17
  • It seems that the `push-receiver` is what you need. You must still find `senderId`, this is a 12 digit number (for FCM. I don't know *how to GCM*). In `sendTokenToBackendOrWhatever`, you implement the shipment to apir-api. And the returned teken can be "VAPID" keys, which allows you to send notifications by the client. But I'm a bit worried about missing `user_id` in following data. Unless the authentication is in a different place. – bato3 Mar 01 '19 at 21:41
  • It looks like you have to download `senderId` from the android, because iOS uses certificates. And maybe it's better to check if android is using FCM instead of GCM. – bato3 Mar 01 '19 at 21:52
  • Unfortunately, I haven't had any luck with the android emulators (I've tried 3). I've been able to install the Airbnb app but cannot see any of the traffic for some reason.You don't have an Android device available, do you? – Dev01 Mar 02 '19 at 17:19
  • Also, the emulators are not prompting me for permission to allow push notifications. – Dev01 Mar 02 '19 at 17:30
  • Do you have access to an Android device? Would you be able to check the traffic? I would be happy to pay you something if you helped me solve this. Thanks! – Dev01 Mar 04 '19 at 17:32
  • I have a few androids, but my knowledge of FCM is theoretical, and about debugging android and eavesdropping communication even more general and beyond my interests. BTW here is list available push services: https://learn.microsoft.com/en-us/azure/notification-hubs/xamarin-notification-hubs-ios-push-notification-apns-get-started Nad here is info how to configure emulator, to riecive push notifications https://stackoverflow.com/a/23443757/1194525 – bato3 Mar 04 '19 at 18:56