Comments (11)
Yeah, Android is a lot more ripe for exploitation overall, and it sounds like there are a ton of tools to disable various network encryption services. I should just get a cheap Android to do testing on for stuff like this or figure out how to emulator it on M1. I'm still confused by the difference between data and bodies and json and headers in network requests too, and I've had to build a commercial API! 😂 So hats off on figuring it out
Bodies data and json are all the same what matters is the content type !😄
from befake.
Further developments; I made some changes I'll open to a PR to get images to upload, but now I get a message saying {'error': 'Forbidden', 'statusCode': 403, 'message': 'Forbidden', 'errorKey': None}
when trying to submit the pictures as a post. Will check some more genuine network requests and see if I can get past this too.
from befake.
I'm trying to intercept the network requests to see what BeReal has changed in their API that is causing post uploads to fail, but all my proxying efforts are being foiled by their SSL pinning. I'm working on jailbreaking a device so I can bypass the SSL pinning and check upload requests and see if the API actually has changed as is the case with the picture uploads on Firebase or if the lack of an acceptable certificate is the issue at play.
from befake.
I'm trying to intercept the network requests to see what BeReal has changed in their API that is causing post uploads to fail, but all my proxying efforts are being foiled by their SSL pinning. I'm working on jailbreaking a device so I can bypass the SSL pinning and check upload requests and see if the API actually has changed as is the case with the picture uploads on Firebase or if the lack of an acceptable certificate is the issue at play.
Try uninstalling the app, installing it again but not opening it, then turn the proxy on and open the app this seemed to work for me in the past
from befake.
Which device are you working on? I have the same TLS issue with mitmproxy and IOS 16 (requests for other photos come through but everything else fails)
from befake.
Update: I managed to get it working, I changed
res = self.client.post(f"{self.api_url}/content/post", data=json_data)
to
res = self.client.post(f"{self.api_url}/content/post", json=json_data, headers={"authorization": self.token})
from befake.
Awesome! Well spotted. Out of curiosity, how did you manage to crack the SSL issue? I was using the Objection framework to try to disable SSL pinning, but ran into some permission errors. I also uninstalled BeReal, installed and opened it under mitmproxy, but still ran into TLS errors, likely something to do with user-agents being associated with certificates.
from befake.
Seems to be fixed by #10
from befake.
I didn't manage to crack the SSL issue, I somehow managed to understand the 403 error message (provide the authentication header) and then work myself through the next error messages (bad-request). The server then provided a list of wrong fields and from past project I knew, that you sometimes have to send data with the json parameter (for example in some Discord Bot-API endpoints) so I tried that and then read through the next error messages. (But all-in-all it took a couple of hours)
A friend of mine had an idea for cracking the SSL-stuff that seems pretty waterproof. He told me, it had worked on past projects but we didn't test it for BeReal. You essentially decompile an apk file, then add something in some xml-config file and then recompile and install on an Android machine. Afterwards, you can monitor the requests with wireshark.
That's the resource he used in the past: https://egorovandreyrm.com/pcap-remote-tutorial/#decrypting_https_tls_traffic
If BeReal changes the API someday, we could use that to figure out how to send something again.
from befake.
I didn't manage to crack the SSL issue, I somehow managed to understand the 403 error message (provide the authentication header) and then work myself through the next error messages (bad-request). The server then provided a list of wrong fields and from past project I knew, that you sometimes have to send data with the json parameter (for example in some Discord Bot-API endpoints) so I tried that and then read through the next error messages. (But all-in-all it took a couple of hours)
A friend of mine had an idea for cracking the SSL-stuff that seems pretty waterproof. He told me, it had worked on past projects but we didn't test it for BeReal. You essentially decompile an apk file, then add something in some xml-config file and then recompile and install on an Android machine. Afterwards, you can monitor the requests with wireshark.
That's the resource he used in the past: https://egorovandreyrm.com/pcap-remote-tutorial/#decrypting_https_tls_traffic
If BeReal changes the API someday, we could use that to figure out how to send something again.
A modified Android APK should be much easier to capture indeed (works with mitmproxy etc. too), the android app is also much less obfuscated from what I could see last time i decompiled it so you could probably extract some of the API info just by static analysis, or write a few Frida scripts and log the traffic before it even leaves the device (!) no need to decrypt traffic with your own TLS cert when you intercept it before it even leaves your device (same with the response). I am however going to leave this to all of you, as i don't have the time required. But it's a lot of fun I promise 🙂
from befake.
Yeah, Android is a lot more ripe for exploitation overall, and it sounds like there are a ton of tools to disable various network encryption services. I should just get a cheap Android to do testing on for stuff like this or figure out how to emulator it on M1. I'm still confused by the difference between data and bodies and json and headers in network requests too, and I've had to build a commercial API! 😂 So hats off on figuring it out
from befake.
Related Issues (20)
- Please STOP modifying the codes directly on the master branche before testing it HOT 1
- Friends download results in file cluster HOT 3
- a couple be real HOT 3
- the authentication endpoint no longer works HOT 2
- Assertion error while calling bf.post_realmoji
- Connection duration
- Enhancement: Second and third memory HOT 3
- Phone Number Formating Clarity. HOT 2
- sessionInfo error during login before verification
- Tutorial? HOT 1
- Can't share a bereal (upload a picture to the servers) HOT 10
- Can't Login HOT 9
- AttributeError: 'str' object has no attribute 'write' HOT 5
- Add support for extra bereals HOT 5
- Receiving Bad Request 400 response when refreshing token HOT 2
- Add releases / version numbers HOT 1
- bereal token expiring after a day HOT 2
- Link GitHub Packages to Repositroy
- Error on login: `'BeFake' object has no attribute 'refresh_token'` HOT 12
- KeyError: 'notification_id' HOT 2
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from befake.