Fabricio

Fabric.io is a great tool made for mobile application developers. It provides statistics of standard and out-of-memory crashes, active users, audience growth and a lot more. Unfortunately the only official way to work with this data is using Fabric.io website. That means - no automation and no integrations with other services.

I decided to fix this issue.

Problems

Before diving into implementation details let's see what I mean under no automation and no integrations.

The first problem. We have a dashboard with technical metrics of all our projects. It shows multiple data types from different sources: AppStore ratings, number of unit tests, OCLint reports. Besides it we also count somewhat called 'project health coefficient'. It reduces all of aforementioned technical metrics in one using a system of weights. The result coefficient varies from 0 to 10.

This data is persisted and visualized on our Apple TV in multiple widgets.

As for me the most important technical metric of a mobile application is its crashfree rate. It's the end result of our work, it shows how good we completed our technical tasks. We had to collect this data from Fabric. Showing its own dashboard in an iframe wasn't an option - we needed the raw data to use it in health coefficient.

The second problem came from our analysts department. They prepare reports of applications status on a regular basis. A report includes different metrics together with the crashfree rate. They had to do a lot of manual work just to collect this data for different time ranges and builds and paste in Excel. We have many apps so it i really hard. They asked me for a better way to deal with it.

Research

We had two major sources to research - Fabric mobile applications and the website. As typical iOS developers with a little background in pentesting we started with researching iOS application. Well, this appeared to be not an easy task. iOS 9 with the brand new ATS didn't allow us to sniff the https traffic using MitM techniques.

Instead of trying to patch the application we chose an easier way. We found an Android phone. Sniffing its traffic gave us some API methods: OAuth authorization, getting organization and application information. It also provided us a method to obtain crashfree values for a period of time:

{
  "start": 1476144000,
  "limit": 3,
  "builds": {
    "all": [
      [
        1476144000,
        0.997496362959705
      ],
      [
        1476230400,
        0.9964777570356803
      ],
      [
        1476316800,
        0.9973385101919404
      ],
      ...

However, time has shown that this data isn't accurate. The month average crashfree often was different than the percentage shown on the website. I had to deal with the fabric.io site itself. I found that it uses GraphQL API for some network requests - e.g. crashes count and out-of-memory free metric. Besides it the website provided a lot of other useful API requests - builds information, daily active and active now users and much more.

Gem

To simplify dealing with multiple endpoints and protocols I wrapped the API in a simple gem - fabricio. Currently it can do the following things:

Here is how to use it:

  1. Create a Fabricio::Client object and configure it on initialization.
  client = Fabricio::Client.new do |config|
      config.username = 'your_email'
      config.password = 'your_password'
  end
  1. Use this client to query any data you want.
  client.app.all # Returns all applications on your account
  client.app.get('app_id') # Returns information about specific application
  client.app.crashfree('app_id', '1478736000', '1481328000' 'all') # Returns application crashfree for a given period of time
  client.organization.get # Returns information about your organization
  1. If you want to check the exact server output for a model, you can call json method on it:

client.app.get('app_id').json

You can call a method similar to any key in this hash:

client.app.get('app_id').importance_level

The API is private, so we don't have any guarantees that it won't change in the future. I'll try to keep up with its changes and update the gem ASAP.

API

If you still want to deal with API directly, I posted it in fabricio repository: - cURL - Swagger

Thanks

My colleagues helped me a lot in my research. Thanks to Vadim Smal who dealt with mobile application sniffing and Irina Dyagileva, Ivan Dyagilev and Andrey Smirnov for help with the website analysis.

Links