consider newer Android API

the current implementation:

gpsoauth/gpsoauth/__init__.py

Lines 134 to 152 in b22c57a

	data: dict[str, int | str | bytes] = {
	"accountType": "HOSTED_OR_GOOGLE",
	"Email": email,
	"has_permission": 1,
	"add_account": 1,
	"EncryptedPasswd": google.construct_signature(
	email, password, ANDROID_KEY_7_3_29
	),
	"service": service,
	"source": "android",
	"androidId": android_id,
	"device_country": device_country,
	"operatorCountry": operator_country,
	"lang": lang,
	"sdk_version": sdk_version,
	"client_sig": client_sig,
	"callerSig": client_sig,
	"droidguard_results": "dummy123",
	}

from what I can tell is based on Android API 19, which is dated around 2013:

https://apilevels.com

have you considered bumping up the implementation? it seems starting with API 21, Google is using something more like this:

POST /auth HTTP/1.1
Host: android.clients.google.com
Accept-Encoding: identity
Connection: Keep-Alive
User-Agent: GoogleAuth/1.4 (generic_x86 LSY66K); gzip
app: com.google.android.gms
content-type: application/x-www-form-urlencoded
device: 3760dcd91...

ACCESS_TOKEN=1&
add_account=1&
device_country=us&
droidguard_results=CgYXdhUgp-PSEFsAAHdU9h5a1xWSAFpFJRNTS5M9AC4R4ZGh9VMLBADDJ6...&
google_play_services_version=11055270&
is_dev_key_gmscore=1&
lang=en_US&
sdk_version=21&
service=ac2dm&
Email=s...&
androidId=3760dcd91...&
Token=oauth2_4%2F0Adeu5BVnTdwNdQyQ97hA6iZKM3KitofkyAKOb3yucDZ0JxPCvMJ3c7y-lmHr...

admittedly, getting that Token value to plug into the request is not simple, but after 10 years it might be time to start thinking about it.

[simon-weber]

I don't use this library for any of my own projects anymore so I'm not planning on making any major changes to it, but if someone else wants to look into it I can help get things merged.

OK might have hit a brick wall. it seems the /_/lookup/accountlookup request is protected by a value bgRequest, which is Google bot-guard protection.

OK I tested again by manually installing Google Play API 21 with the oldest apps I could get working:

package: name='com.android.vending' versionCode='81085000'
versionName='10.8.50-all [0] [PR] 206058588'

package: name='com.google.android.gms' versionCode='205066013'
versionName='20.50.66 (020700-351698872)'

package: name='com.google.android.gsf' versionCode='21'
versionName='5.0.2-1649326'

and I also blocked updates with this filter:

/~u play-apps-download-default.download.by-id/444

but still, the result is the request is protected by Google bot-guard. so I think I am out of ideas, because I am not skilled enough to reverse that.

[simon-weber]

Aw, ok. I don't think I'll be able to resolve that - it's been ages since I've done anything with Android - but I appreciate the attempt!

[GRodrig]

@1268 The results from the (500+) tests I did:
Parameters:
'add_account' is required for some accounts to prevent an 'UNKNOWN ERROR' (aas token)
'client_sig' is needed if you want a longer expiration time for the token (auth token).

I couldn't find any more errors related to other parameters.

If you want to follow that approach (auth2_4 token) I suggest u to check:
https://gitlab.com/AuroraOSS/gplayapi/-/tree/master
https://github.com/whyorean/Authenticator (You can make it return the auth2_4 token, but you need to make changes)

OK well as of now I have switched to Android API 21, which means my package no longer supports email/password login:

https://github.com/1268/google/commit/784a2a7ba45352a06ff5213082ce402a61427e9c

I dont think people will like that, but I am not really interested in supporting a 10 year old API any more. also I was able to rip out the custom TLS code, which make the process much better from a coding standpoint. I will leave this open in case @simon-weber or anyone has any ideas on the bot guard.