[BUG] possible instant shadowbans even using frida only in rooted device

[dev2937646]

i try in more than one of new rooted devices with frida and not any patched apk. inspect the request works. but i think it may be shadowban the device and the account. because it doesn't work even when using normally afterwards. the account cannot perform any action even normally such as to like, follow, even when its showing ok in the request response. so i think it send some indication somehow to triggering shadowban and maybe we need to find it and change it.

[brunoaduarte]

i try in more than one of new rooted devices with frida and not any patched apk. inspect the request works. but i think it may be shadowban the device and the account. because it doesn't work even when using normally afterwards. the account cannot perform any action even normally such as to like, follow, even when its showing ok in the request response. so i think it send some indication somehow to triggering shadowban and maybe we need to find it and change it.

What I've noticed is that, after the test, if you use the same account on a "legit" device like a non jailbroken iPhone 13 Pro for example, all the actions will work fine... I can like, comment, follow users, and everything else.

So the "ban" is only related to the request itself, it is like some of the data that is going in the request url (and header) is considered "invalid" by the server.

At the same time, I don't think that only tamppering with the values directly will solve the problem, as it also seems to be some sort of "hash" that is calculated by the app before sending it to the server. So the full request, and the calculated hash must match...

So in the end we must get "good" request parameters (good idea to copy the request from iPhone 13 Pro) and reverse engineer the apk to understand how to calculate the hash.

[dev2937646]

i try in more than one of new rooted devices with frida and not any patched apk. inspect the request works. but i think it may be shadowban the device and the account. because it doesn't work even when using normally afterwards. the account cannot perform any action even normally such as to like, follow, even when its showing ok in the request response. so i think it send some indication somehow to triggering shadowban and maybe we need to find it and change it.

What I've noticed is that, after the test, if you use the same account on a "legit" device like a non jailbroken iPhone 13 Pro for example, all the actions will work fine... I can like, comment, follow users, and everything else.

So the "ban" is only related to the request itself, it is like some of the data that is going in the request url (and header) is considered "invalid" by the server.

At the same time, I don't think that only tamppering with the values directly will solve the problem, as it also seems to be some sort of "hash" that is calculated by the app before sending it to the server. So the full request, and the calculated hash must match...

So in the end we must get "good" request parameters (good idea to copy the request from iPhone 13 Pro) and reverse engineer the apk to understand how to calculate the hash.

tell me did it worked for you in iphone 13 pro even when you use it root with frida or it work only when you use normal apk in normal iphone only?

also i forgot to mention when i tested both my devices, they were not using same internet connection. was using 2 different sim cards in 2 different rooted devices. no sim no device ever had tiktok before. wifi was turned off and no wifi connection was used even once. i did not use a same ip which could have been already banned. also the 2 devices were completely different brand but none were iphone like yours.

however theres some problem with my test i was doing. first maybe its better if account is registered first while the device is not rooted. even to use the account normally a small while. maybe it is not good try to register the new account like that. because maybe something in the account registration process is checked. like if some of the checks are only performed in the beginning of making the account and in the first few actions of the new account.

i wonder maybe you were registered normally so that so your account can be used normally even after trying it modified. but for me if i launch mobile browser incognito no intercept proxy attached no frida, i still cannot perform any action. it shows like it does in ui but when i really check it did not do it. however the problem again with me could also be because i still launched the browser from rooted device. not sure why it would detect root on the browser but maybe it does.

anyway i think you made a better tests. i am just curious when you say it work in your iphone it is working even rooted and with frida and intercept proxy attached or it only work when you use the account normal apk and normal non rooted iphone only? and the moment you attach frida in rooted device then the request go through but doesn't actually do the action like i am seeing too?

[brunoaduarte]

I used the same account on the rooted emulator with the frida patched TikTok apk passing the communication thru BurpSuite (in this case I cannot follow people for example).... and then I use the same account on the iPhone 13 Pro with official TikTok app, it works fine with all functionality...

This account I registered on the iPhone...

I have another test account that I registed using the rooted emulator... this account cannot follow people on the emulator, but when I logged it on my iPhone i could follow a few people (15 do be more precise), then it don't allow me to follow people anymore, even on the iPhone...

Seems there are no exact rules, it's a sum of actions that will flag your account.

When you say you're using a rooted device, is that a physical device or an emulator?

[dev2937646]

both were real physical device not any emulators. both use 2 different real sim card. i rooted them myself manually. patching magisk manually first too not using twrp recovery. one was some google pixel i think. those are much easier tho. another was something else not google. and i also used magisk manually on it. but had to use someone's leaked firehose first to take the boot image out my device with some way otherwise it is not possible at all. so they were physical devices. and one was a kind not usually suspected to root, and harder to root.

if you use the account you registered with the iphone. use it from root and fails to do anything. then use it from the iphone and working. if you do that, is it able to follow more people than the one who was registered by root in emulator initially? or both suddenly cannot follow too many people more than 15 if you ever use the account even just once from rooted emulator?

i wonder if you are right about the signature which is on every request. then server knows the device is incorrect because of the hash. pretend to accept request as valid. but actually discarded it. plus might be flagging the account too right away then so it wont perform many actions after that even if it used from normally after that. what you think?

[brunoaduarte]

if you use the account you registered with the iphone. use it from root and fails to do anything. then use it from the iphone and working. if you do that, is it able to follow more people than the one who was registered by root in emulator initially? or both suddenly cannot follow too many people more than 15 if you ever use the account even just once from rooted emulator?

Yes, the account I've registered using the iPhone I can use on the rooted emulator with limited actions (it wont accept following other profiles), and as soon as I log it back on the iPhone it starts working again, and I can follow any profile (unlimited). The 15 profile limit only ocurred on the account that I registered on the rooted emulator.

i wonder if you are right about the signature which is on every request. then server knows the device is incorrect because of the hash. pretend to accept request as valid. but actually discarded it. plus might be flagging the account too right away then so it wont perform many actions after that even if it used from normally after that. what you think?

I don't think there's a "flag" in this case, it's just a temporary block related to the device itself it seems, because as I told you, as soon as I get the account back in the iPhone it starts working perfectly again, no limitations.

[brunoaduarte]

I've noticed that when login the account on the emulator (after reinstalling the apk for example) it ALWAYS gives me the error "Maximum login attempts reached..." (or something like that). Then I have to reset the password using the phone number and only then it will login the account on the emulator. On the iPhone this problem doesn't occur, I can login directly with the password.

Also, I've noticed I can UNFOLLOW profiles successfully even with the rooted emulator, but I cannot FOLLOW.

Update 1: i just tested withe the latest released apk 31.5.3 and the issue persists.

Update 2: I tried my account on a old jailbroken iPhone 6 (iOS 12.5.5 i guess) and the behavior is the same as of the rooted emulator, cannot follow profiles. Everything back to normal running the same account on the iPhone 13 Pro.

[brunoaduarte]

@dev2937646 can you try this another script on your rooted device? It will bypass the root detection, and maybe your device works without restrictions.

I tested on the emulator and nothing changed.

https://github.com/fdciabdul/Frida-Multiple-Bypass

Also can you test the released APK in a non rooted device? https://github.com/Eltion/Tiktok-SSL-Pinning-Bypass/releases/tag/v31.5.3

[brunoaduarte]

In the Instagram version of the SSL Pinning bypass, @Eltion uses NOX Emulator to demonstrate the process. I'm wondering if he succeded using TikTok with Nox...

https://github.com/Eltion/Instagram-SSL-Pinning-Bypass#video-tutorial-using-mitmproxy

[tmxd09887]

Does using the patched version of the tiktok apk cause the shadowban or follow functions to be limited?

[Kythek9]

Do y'all have a working TikTok account register bot that pulls session id and runs on proxy's