This page contains some general notes about the MyEdenred app. This is the app I use to pay for my lunches at work.
As expected, the application communicates with multiple tracking and analytics services.
Edenred API
https://etr-api.edenred.com.tr/MobileServices/1.2/VersionUpgrade
The application sends the current app version, Android version and the device model. It gets back the following response.
{
"Data": {
"AppVersionUpgradeURl": null,
"ForceVersionUpgrade": false,
"Header": null,
"Message": null,
"OptionalVersionUpgrade": false
},
"Status": false,
"error": "",
"success": true
}
https://etr-api.edenred.com.tr/MobileServices/1.2/token
The applications sends its refresh token and the device ID (why device ID? It’s not secure), gets back a new access token.
https://etr-api.edenred.com.tr/MobileServices/1.2/PasswordRules
https://etr-api.edenred.com.tr/EdenredTR.Services.Chatbot/1.0/Token
https://etr-api.edenred.com.tr/MobileServices/1.2/CombinedLogin
This endpoint is called CombinedLogin, but it’s not actually used for logging in. I suppose they used “login” as the home screen of the app you see after logging in.
You send it the device ID (again, why?), your current location (latitude and longitude), along with the access token you got from the /token endpoint.
The server responds with basically everything you see on the main screen. This includes.
Recent transactions
This is located in a key called card_transactions. It’s an array of objects. Each object looks like this.
{
"rest_name": "Friendly Neighbourhood Burger",
"tra_date": "03/07/2023", // Transaction date
"tra_date_hour": "03/07/2023 19:00", // Transaction datetime
"tra_amount": "150,8600", // Amount spent or added
"tra_label": "HARCAMA", // HARCAMA (spend) or YÜKLEME (add)
"tra_balance": "2500,9000", // The balance after the transaction
"discount_amount": "0,0000",
"loyalty_message": "",
"campaign_code": "",
"balance_type": ""
}
https://etr-api.edenred.com.tr/MobileServices/1.2/OnlineSales
https://etr-api.edenred.com.tr/MobileServices/1.2/OnlineSalesMerchants
https://etr-api.edenred.com.tr/MobileServices/1.2/TRLocationSearch
Send location, along with a search query. The server responds with a list of matching restaurants.
{
"cat_code": "",
"dep_code": "",
"has_campaign": false,
"is_market": false,
"latitude": "41.01111",
"limit": "100",
"longitude": "29.01111",
"rest_name": "",
"twn_code": "",
"usr_id": ""
}
https://etr-api.edenred.com.tr/MobileServices/1.2/MarketList
https://etr-api.edenred.com.tr/MobileServices/1.2/RCCampaigns
Misc stuff
Grabs the client IP from http://ip.jsontest.com/
Netmera.com
The app uses the netmera.com tracking/analytics API. All the communication happens over HTTPS, and every request seems to be a POST request.
Headers
X-Netmera-App-Key
This header is sent with the value edenredprod. Does this imply the existence of a edenreddev or edenredtest app key?
X-Netmera-Api-Key
Sent with the value 77MNEli8Vfzfl6T_eB8P_BqbkiCJ_vtMa7ILrkRJEV2oDx__GaSyiA.
X-Netmera-Sdkv
Clearly the SDK version. Sent with the value 3.9.4.
X-Netmera-Provider
Sent with the value google.
X-Netmera-Os
Sent with the value ANDROID.
Content-Type
Sent with the value application/json; charset=UTF-8.
Endpoints
https://sdkapi.netmera.com/sdk/3.0/session/init
On startup, the app sends a POST request to this endpoint. The request body is a JSON object. It contains the following fields.
{
"cfgV": 112, // Configuration version?
"ids": {
"did": "123123123", // Device ID?
"iid": "123123123", // Instance ID?
"sid": "123123123", // Session ID?
"uid": "123123123", // User ID?
"xid": "919bdd1c-b7ab-422a-a47d-e2d40ddf855f" // Some UUID
},
"info": {},
"ts": 1688580747020, // Unix timestamp in milliseconds
"tz": 10800 // Timezone offset in seconds (3 hours)
}
The same ids object is sent with every request.
https://sdkapi.netmera.com/sdk/3.0/event/fire
https://sdkapi.netmera.com/sdk/3.0/user/update
Appcenter.ms
Endpoints
https://in.appcenter.ms/logs?api-version=1.0.0
Seems to be a pretty simple logging endpoint.