Closed benonymity closed 2 years ago
Further developments; I made some changes I'll open to a PR to get images to upload, but now I get a message saying {'error': 'Forbidden', 'statusCode': 403, 'message': 'Forbidden', 'errorKey': None}
when trying to submit the pictures as a post. Will check some more genuine network requests and see if I can get past this too.
I'm trying to intercept the network requests to see what BeReal has changed in their API that is causing post uploads to fail, but all my proxying efforts are being foiled by their SSL pinning. I'm working on jailbreaking a device so I can bypass the SSL pinning and check upload requests and see if the API actually has changed as is the case with the picture uploads on Firebase or if the lack of an acceptable certificate is the issue at play.
I'm trying to intercept the network requests to see what BeReal has changed in their API that is causing post uploads to fail, but all my proxying efforts are being foiled by their SSL pinning. I'm working on jailbreaking a device so I can bypass the SSL pinning and check upload requests and see if the API actually has changed as is the case with the picture uploads on Firebase or if the lack of an acceptable certificate is the issue at play.
Try uninstalling the app, installing it again but not opening it, then turn the proxy on and open the app this seemed to work for me in the past
Which device are you working on? I have the same TLS issue with mitmproxy and IOS 16 (requests for other photos come through but everything else fails)
Update: I managed to get it working, I changed
res = self.client.post(f"{self.api_url}/content/post", data=json_data)
to
res = self.client.post(f"{self.api_url}/content/post", json=json_data, headers={"authorization": self.token})
Awesome! Well spotted. Out of curiosity, how did you manage to crack the SSL issue? I was using the Objection framework to try to disable SSL pinning, but ran into some permission errors. I also uninstalled BeReal, installed and opened it under mitmproxy, but still ran into TLS errors, likely something to do with user-agents being associated with certificates.
Seems to be fixed by #10
I didn't manage to crack the SSL issue, I somehow managed to understand the 403 error message (provide the authentication header) and then work myself through the next error messages (bad-request). The server then provided a list of wrong fields and from past project I knew, that you sometimes have to send data with the json parameter (for example in some Discord Bot-API endpoints) so I tried that and then read through the next error messages. (But all-in-all it took a couple of hours) A friend of mine had an idea for cracking the SSL-stuff that seems pretty waterproof. He told me, it had worked on past projects but we didn't test it for BeReal. You essentially decompile an apk file, then add something in some xml-config file and then recompile and install on an Android machine. Afterwards, you can monitor the requests with wireshark. That's the resource he used in the past: https://egorovandreyrm.com/pcap-remote-tutorial/#decrypting_https_tls_traffic If BeReal changes the API someday, we could use that to figure out how to send something again.
I didn't manage to crack the SSL issue, I somehow managed to understand the 403 error message (provide the authentication header) and then work myself through the next error messages (bad-request). The server then provided a list of wrong fields and from past project I knew, that you sometimes have to send data with the json parameter (for example in some Discord Bot-API endpoints) so I tried that and then read through the next error messages. (But all-in-all it took a couple of hours)
A friend of mine had an idea for cracking the SSL-stuff that seems pretty waterproof. He told me, it had worked on past projects but we didn't test it for BeReal. You essentially decompile an apk file, then add something in some xml-config file and then recompile and install on an Android machine. Afterwards, you can monitor the requests with wireshark.
That's the resource he used in the past: https://egorovandreyrm.com/pcap-remote-tutorial/#decrypting_https_tls_traffic
If BeReal changes the API someday, we could use that to figure out how to send something again.
A modified Android APK should be much easier to capture indeed (works with mitmproxy etc. too), the android app is also much less obfuscated from what I could see last time i decompiled it so you could probably extract some of the API info just by static analysis, or write a few Frida scripts and log the traffic before it even leaves the device (!) no need to decrypt traffic with your own TLS cert when you intercept it before it even leaves your device (same with the response). I am however going to leave this to all of you, as i don't have the time required. But it's a lot of fun I promise 🙂
Yeah, Android is a lot more ripe for exploitation overall, and it sounds like there are a ton of tools to disable various network encryption services. I should just get a cheap Android to do testing on for stuff like this or figure out how to emulator it on M1. I'm still confused by the difference between data and bodies and json and headers in network requests too, and I've had to build a commercial API! 😂 So hats off on figuring it out
Yeah, Android is a lot more ripe for exploitation overall, and it sounds like there are a ton of tools to disable various network encryption services. I should just get a cheap Android to do testing on for stuff like this or figure out how to emulator it on M1. I'm still confused by the difference between data and bodies and json and headers in network requests too, and I've had to build a commercial API! 😂 So hats off on figuring it out
Bodies data and json are all the same what matters is the content type !😄
The upload function in
Picture.py
always fails with error 403, sayingPermission Denied
. I've tried a bunch of different phrasing for the Firebase authentication header with no success. Any ideas?