This application was an alternative client to the Android application Showbox. Showbox is an application that allows streaming of free movies and television shows. At the time it didn’t allow for downloading of content and was filled with advertisements. My client allowed for direct streaming of their pirated content without advertisements with a clean and simple user interface. This application was in active development from October 2014 until November 2015.
The way that Showbox managed their data at the time was by providing datablobs in the form of a zip file with json files embedded. It included information on the shows, categories, and recently added.
Since the domain that was hosting this data was taken down over time (I saw this happen at least once) they had remote configuration in place to allow for swapping the download location. I copied this behavior and added my own parsing to normalize all of their data so I can easily query from it. Using TheMovieDB’s api I backfilled any other missing required data.
At the time of development Showbox used the Russian Facebook alternative VK as their backing video source. Using rolling accounts they would upload content and if it went down the client would notify them it needed to be re-uploaded. Every show had a unique identifier specific to Showbox and using it you could query their api for information on the available streaming links. The problem is that it would simply return a list of hashes.
This hash could only be interpreted by using the native library embedded within the Showbox application itself along with using their own package name and a secret key. All of this was useless when you can simply import their own native libraries, use a ContextWrapper to fake your package name, and copy the plaintext secret.
Using this parsed hash I could generate a good url and attempt to request all available qualities. Most of the time this would work fine but in the case that it didn’t I simply notified Showbox that the upload failed like the real client. I knew what they were doing mostly by using a proxy on the host device but learning how and why was the difficult part.