@embr @uint8_t oooh ble I did that once upon a time! Wireshark should be able to do a capture (I know it works on Linux, hcidump or sudo wireshark, suspect it works on macos and maaaaybe on Windows too? You can capture in another app and load in Wireshark for analysis anyways.)
It's possible that your Android ble stack is caching stuff that it retrieved when the device first paired, so you might get more handle descriptors if you can get it to forget that cache and capture the initial handshake. It's also possible/likely that the sketchy apk just has handles hardcoded.
You can probably poke at struct internals to force bluepy or the C BlueZ bindings to send writes to the handles you already figured out even if the GATT server doesn't provide a valid query response describing them.
I am not finding any of my old source code to refer to alas ... Will dig a little bit more.
Also, I now want a pair of those glasses.:)