

Reverse-engineering Instagram to access the private API - 1il7890
http://definedcodehosting.com/reverse.html

======
sjtgraham
Is it still the case that the app only uses HTTPS to create a session and
plain HTTP for everything else? I remember that was the case about a year ago
after using mitmproxy to sniff traffic, although I don't recall HMAC being
used to sign requests then. Anyway, I wondered then why nobody had used
firesheep to devastating effect, e.g. a bot sitting on an open wifi and
posting NSFW images to any account on the network.

~~~
xuki
I'm fairly certain they use HTTPS for all the requests involve user token.

------
potomak
Note that Instagram doesn't encrypt requests to their private API, they're
only signing them. In fact the parameter is called 'signed_body', not
'encrypted_body'.

Anyway interesting post.

~~~
CGamesPlay
The traffic is encrypted over SSL (HTTPS), so there's no need for double-
encryption, since presumably the app can trust the DNS and certificate chains
on the device. If I were a paranoid Instagram developer, though, I could even
use a custom certificate chain that only trusted certificates on my server, so
there's no point to doing the encryption in the app.

------
rnaud
Isn't the fact that they are using a simple HMAC-SHA256 hash also a root of
the problem?

If instead of using the POST data only to create the hash they added another
information, like a the hour of the day. Wouldn't it be way harder for a
hacker to actually understand what went into signing the request?

~~~
meritt
Not really. He decompiled the code so it's pretty simple to figure out
regardless.

------
SifJar
Interesting write up. Seems rather simple, really. Presumably Instagram could
change their private key and rollout a new client version on each platform,
breaking all third party apps using the current key though. Although I guess
it'd be just as easy to get it again.

~~~
Zariel
Well if you have the private key on the device you can always pull it out, so
really they should have used public key encryption if they didn't want people
to forge the signatures.

~~~
CGamesPlay
Public key encryption to sign involves encrypting using my own private key.
Which would be on the phone, and so any end user could pull it from the
device.

~~~
cake
So what can you do ? You can't fight the private key retrieval right ?

~~~
CGamesPlay
Well, you can lock down the device so that the end user doesn't own it,
doesn't have root, and can't inspect your binary/data outside of your exposed
interface. Which is exactly what iPhones and many Android vendors attempt to
do.

~~~
somesay
Typical DRM/crypto problem. As soon as one party is out of your control (e.g.
client on end-user device) you already lost. Even on the iPhone you could do a
jailbreak. You could only make things more difficult, in worst case you would
have to open the device and directly access the RAM or something.

Indeed you could personalizes the keys for every user. So you could detect a
leaked private key that is widely used and proceed against. Still that
wouldn't hinder personal further use of that private key, e.g. for exporting
data (similar to breaking DRM).

