Astro (Malaysia) NJOI Android app network analysis

Astro recently walled up their HLS streaming endpoints by introducing AES-128 encryption on their HLS streams, so leechers can no longer watch TV for free.

So decided to spend the evening poking around their NJOI Android app, by using Fiddler. The app refuses to run on a rooted device, and also it is geo-restricted to just Malaysia, so gotta spawn a VPN from home and funnel everything through it. Fiddler is pretty nifty in that it can decrypt HTTPS traffic given you generate it’s certificate, and then install it on your Android device and then pointing your Android phone to the Fiddler’s proxy. This does not work on Android 7 and above, because “Apps that target API Level 24 and above no longer trust user or admin-added CAs for secure connections, by default”. But luckily I still have a Note 2 lying around, and NJOI seems to run just fine on it.

On sign-in you are presented with this menu. You can watch live TV on their “Channels” tab or rewatch aired shows from the “On Demand” feature. Selection is quite extensive for free TV, but all the channels are run by Astro, so no surprises. Clicking on the “Channels” tab shows you channels categorized into their respective language and type.

Clicking on the channel immediately starts the channel stream with adaptive bitrate enabled. At the bottom of the channel stream are selection of on-demand titles from the channel. I’m surprised they finally figured out how to do this without fucking up, but looking deeper you find that everything in there are just third-party software taped together.

I couldn’t take a screenshot of the streaming screen, Android will complain about DRM. Coincidentally the stream was showing how you should not pirate because it’s illegal. Taking a look at Fiddler, you can see their EPG is hosted by, which is a subsidiary of Comcast.

That POST request is sent right when you click on a particular channel, and in this case, I clicked on Astro AEC. The response is a JSON string describing each of the on-demand titles and “tuningInstructions”[sic] for the live stream. Astro uses HLS for all their online contents, and has ever since the 2012 when they first introduced the now-defunct “Evening Edition” companion app, which was developed and maintained by appfactory. Their live HLS m3u8 indexes (e.g. are public, and can be freely downloaded, however the .ts streams are encrypted. The backend uses the Verimatrix’s “Video Content Authority System” proprietary video publishing system and the player in the app uses the same company’s ViewRight. The HLS key URI (e.g., requires that you authenticate yourself with a TLS client certificate before it will cough up the key. Obviously we don’t have that.

When you click on an on-demand title, the app sends a POST request and receives another JSON document that describes everything about the title, including things like duration, published date, allowed countries, producers, cast etc. One thing of particular interest is the “url” key nested under the “releases” key. It contains a URL to the EPG host, like such.

Visiting the URL on a browser yields error. However by appending the “clientid” and “auth” URI data captured from earlier “**” requests, we get a randomly named file containing an XML doc describing the on-demand title, including the HLS index.

The HLS index, yet again, leads to the VCAS encrypted .ts stream.

I guess that’s about it. If we can extract the ViewRight private SSL key from the Android app, we can then decrypt the .ts contents of all the streams. How does one do that? Hacker sifus, I’m counting on you.

Never see. Never know.

1 Comment

Leave a Comment

Your email address will not be published. Required fields are marked *