Hacker News new | past | comments | ask | show | jobs | submit login
Reverse-engineering Instagram to access the private API (definedcodehosting.com)
59 points by 1il7890 on Dec 24, 2013 | hide | past | favorite | 15 comments

Is it still the case that the app only uses HTTPS to create a session and plain HTTP for everything else? I remember that was the case about a year ago after using mitmproxy to sniff traffic, although I don't recall HMAC being used to sign requests then. Anyway, I wondered then why nobody had used firesheep to devastating effect, e.g. a bot sitting on an open wifi and posting NSFW images to any account on the network.

I'm fairly certain they use HTTPS for all the requests involve user token.

Note that Instagram doesn't encrypt requests to their private API, they're only signing them. In fact the parameter is called 'signed_body', not 'encrypted_body'.

Anyway interesting post.

The traffic is encrypted over SSL (HTTPS), so there's no need for double-encryption, since presumably the app can trust the DNS and certificate chains on the device. If I were a paranoid Instagram developer, though, I could even use a custom certificate chain that only trusted certificates on my server, so there's no point to doing the encryption in the app.

Isn't the fact that they are using a simple HMAC-SHA256 hash also a root of the problem?

If instead of using the POST data only to create the hash they added another information, like a the hour of the day. Wouldn't it be way harder for a hacker to actually understand what went into signing the request?

Not really. He decompiled the code so it's pretty simple to figure out regardless.

Interesting write up. Seems rather simple, really. Presumably Instagram could change their private key and rollout a new client version on each platform, breaking all third party apps using the current key though. Although I guess it'd be just as easy to get it again.

Well if you have the private key on the device you can always pull it out, so really they should have used public key encryption if they didn't want people to forge the signatures.

Public key encryption to sign involves encrypting using my own private key. Which would be on the phone, and so any end user could pull it from the device.

So what can you do ? You can't fight the private key retrieval right ?

Well, you can lock down the device so that the end user doesn't own it, doesn't have root, and can't inspect your binary/data outside of your exposed interface. Which is exactly what iPhones and many Android vendors attempt to do.

Typical DRM/crypto problem. As soon as one party is out of your control (e.g. client on end-user device) you already lost. Even on the iPhone you could do a jailbreak. You could only make things more difficult, in worst case you would have to open the device and directly access the RAM or something.

Indeed you could personalizes the keys for every user. So you could detect a leaked private key that is widely used and proceed against. Still that wouldn't hinder personal further use of that private key, e.g. for exporting data (similar to breaking DRM).

You can download an APK using http://apps.evozi.com/apk-downloader/, decompile and modify just as the article has said, and push to the Android SDK's emulator. I have done several analyses of apps using this method and a MITM proxy.

I'm sure there are additional techniques to obfuscate the private key, but relying on locked down devices isn't possible in the Android ecosystem. You don't need a device at all to perform the steps outlined in the article.

Nothing. If this article reminds of anything it's that anyone can patch Android apps (and resign them with a new key) to do anything they want.

Why exactly is that bad? Decompiling is a common tool, not only on Android. And however, Android notices that the app is signed differently, so it's still secure.

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact