MITM Instagram

Dear Lazyweb,

It has been over two years since I last asked this, so I'll ask again:

How do I mitmproxy the Instagram app, from macOS, iOS (real or emulated), or Android (emulated)?

Answer only if you've seen it work with your own eyeballs, please. No guessing. No "here's a 4 year old page that says it should work."

Please read the extensive comments on the previous post for all of the things that didn't work last time.

Last time, I was able to solve my problem by proxying the Flume app, but it hasn't been updated in 3 years and that binary now crashes at startup, even on macOS 10.13.

The proximate goal is to figure out what goes in a 'configure_to_story' request when adding a 'link' sticker, using the private instagram API.

Previously, previously.

Tags: , , , , , , ,

7 Responses:

  1. Chris says:

    I was able to MITM instagram.com via Safari on macOS using Charles Proxy.

    The UX is a bit of an abomination, and the "Install Charles Root Certificate" option didn't work out of the box (opened Keychain Access, but no window appeared). If you go to Help > SSL Proxying > Save Charles Root Certificate..., then add it to your login keychain, and trust it (I had to choose "When using this certificate: Always Trust" to get it to work, just setting it for SSL didn't for some reason).

    I was able to load the home page and like a photo and can see the API requests and responses.

    • Chris says:

      Interestingly, the iOS version of Charles Proxy didn't work with IG. Wondering if IG is using its own root certificate trust store vs. the system's.

    • jwz says:
      6

      "MITM Safari loading a web page" is not what I was asking. That reveals exactly nothing about the Instagram protocol.

  2. David says:
    3

    I at least managed to see it with my own eyes using the approach here:

    https://github.com/itsMoji/Instagram_SSL_Pinning

    So Instagram most definitely does pinning, so you need to patch the APK.

    I don't have an Instagram account, so I could only see the data from signing up but then I balked after the app demanded my phone number after signing in. But at least until that I could see all the traffic from Instagram in mitmproxy. I'm on Debian though, no idea if this works on MacOS.

    So the approach is this: Install Virtualbox and the Genymotion Android emulator. Set up an Android 8.1 device (I used Pixel 2). Get the Instagram x86-apk from apkmirror with the link mentioned in the above link (the exact version, newer ones won't work). Start Instagram and then Force-Stop it again through the settings. Upload the patched libliger.so via adb, start Instagram again and Force-Stop it. Start mitmproxy, upload the certificate via adb and install it through the Wifi-Settings, then also in the Wifi-Settings configure the proxy (the IP should be your Virtualbox-Interface on the host). Start Instagram again and you should see the traffic.

    Good luck. I'd suggest to first try this with some non-important account...

    • cdavies says:
      1

      You beat me to it. I also tested this and it works.

      For example here's a failed login attempt I intercepted:

      POST /api/v1/accounts/login/ HTTP/2
      Host: i.instagram.com
      X-Ig-App-Locale: en_US
      X-Ig-Device-Locale: en_US
      X-Ig-Mapped-Locale: en_US
      X-Pigeon-Session-Id: UFS-b9382f0c-9b98-4334-ab7b-0bfac4d52f04-0
      X-Pigeon-Rawclienttime: 1650108499.299
      X-Ig-Bandwidth-Speed-Kbps: -1.000
      X-Ig-Bandwidth-Totalbytes-B: 0
      X-Ig-Bandwidth-Totaltime-Ms: 0
      X-Bloks-Version-Id: 7d5d5c3edda9c3c433f0b903ced68830addf7027827d1194d3fbec0c41de4e7d
      X-Ig-Www-Claim: 0
      X-Bloks-Is-Layout-Rtl: false
      X-Ig-Device-Id: 3616dd39-a663-42e6-a940-3b536c0519f4
      X-Ig-Family-Device-Id: b7a281cb-3952-4474-ad9b-6290a72a0b3c
      X-Ig-Android-Id: android-28951e994f9d603e
      X-Ig-Timezone-Offset: 0
      X-Ig-Connection-Type: WIFI
      X-Ig-Capabilities: 3brTv10=
      X-Ig-App-Id: 567067343352427
      Priority: u=3
      User-Agent: Instagram 219.0.0.12.117 Android (26/8.0.0; 480dpi; 1080x1920; unknown/Android; Samsung Galaxy S5; vbox86p; vbox86; en_US; 346138365)
      Accept-Language: en-US
      X-Mid: YlqdjAABAAG0NvjmNmXPcUDv23N1
      Ig-Intended-User-Id: 0
      Content-Type: application/x-www-form-urlencoded; charset=UTF-8
      Content-Length: 972
      Accept-Encoding: gzip, deflate
      X-Fb-Http-Engine: Liger
      X-Fb-Client-Ip: True
      X-Fb-Server-Cluster: True

      signed_body=SIGNATURE.%7B%22jazoest%22%3A%2222360%22%2C%22country_codes%22%3A%22%5B%7B%5C%22country_code%5C%22%3A%5C%221%5C%22%2C%5C%22source%5C%22%3A%5B%5C%22default%5C%22%5D%7D%5D%22%2C%22phone_id%22%3A%22b7a281cb-3952-4474-ad9b-6290a72a0b3c%22%2C%22enc_password%22%3A%22%23PWD_INSTAGRAM%3A4%3A1650108499%3AATFFIEm9yEFjeWYxDMgAAQSGAif8h0o%2FjgBSSsJWLI73Bqu1OS95Z72TspxbUtySI8DnzCpO0t7%2Bsg4nPO3LyvJui0F6s9bF%2BwYYgr6l%2BKE42BGR9EFp6ibkvdGoZp5nWiXeCbQBPoTLAKbpS6kQgY9EtXk%2Be79Wmm8kW0v2yeI6aqJSCG%2BlfTWjb8OOt7HuHCbomavFdKgG9C7HV3D5rHRZM%2F%2Bs2FHY994RbjOWjcPUc9Q11dHhrUGWZWZZShmERedsMv72qACgVw1G8bnmAijZqjddBqkCb7P2hQvMAGylimfP0NmwKc3vgrrPLwNBKnSVlw307LB3X5ugRuU80oaCRBGmu5QY6Qe64mY8iCtVFR8%2BVt3Rc%2FplZe3Xcz6u94IZP7GW%22%2C%22username%22%3A%22foo%40bar.com%22%2C%22adid%22%3A%22%22%2C%22guid%22%3A%223616dd39-a663-42e6-a940-3b536c0519f4%22%2C%22device_id%22%3A%22android-28951e994f9d603e%22%2C%22google_tokens%22%3A%22%5B%5D%22%2C%22login_attempt_count%22%3A%221%22%7D

      The version with the hacked library is 3 months old now, so I don't know if that's good enough for your purposes, though I'd be surprised if the TLS DLL API has changed so much that it doesn't work with more recent versions of the app.

      • cdavies says:

        It belatedly occurs to me to say another thing I've previously done to solve a problem like this in a quick and dirty fashion. Usually however these types of things are doing TLS, it boils down to libssl crypto primitives in the end. To avoid modifying the app, you can just install Frida on an android emulator and hook the DH_compute_key function (it's usually a DHE key exchange, your mileage may vary) and dump the premaster key. Then you can compute master key yourself and decrypt a raw traffic dump from wirehark.

        I'm afraid I don't have a handy script for doing these things, but it's working fallback if nothing else works.

  3. I don’t know how to fix it, but when I was a worse person, I worked at Faceb**k adjacent to the iOS networking team. They hardcode the ssl keys, and I’d assume they’re doing it on instagram as well.

  • Previously