Note that Instagram doesn't encrypt requests to their private API, they're only signing them. In fact the parameter is called 'signed_body', not 'encrypted_body'.
The traffic is encrypted over SSL (HTTPS), so there's no need for double-encryption, since presumably the app can trust the DNS and certificate chains on the device. If I were a paranoid Instagram developer, though, I could even use a custom certificate chain that only trusted certificates on my server, so there's no point to doing the encryption in the app.
Interesting write up. Seems rather simple, really. Presumably Instagram could change their private key and rollout a new client version on each platform, breaking all third party apps using the current key though. Although I guess it'd be just as easy to get it again.
Well if you have the private key on the device you can always pull it out, so really they should have used public key encryption if they didn't want people to forge the signatures.
Public key encryption to sign involves encrypting using my own private key. Which would be on the phone, and so any end user could pull it from the device.
Well, you can lock down the device so that the end user doesn't own it, doesn't have root, and can't inspect your binary/data outside of your exposed interface. Which is exactly what iPhones and many Android vendors attempt to do.
You can download an APK using http://apps.evozi.com/apk-downloader/, decompile and modify just as the article has said, and push to the Android SDK's emulator. I have done several analyses of apps using this method and a MITM proxy.
I'm sure there are additional techniques to obfuscate the private key, but relying on locked down devices isn't possible in the Android ecosystem. You don't need a device at all to perform the steps outlined in the article.
Typical DRM/crypto problem. As soon as one party is out of your control (e.g. client on end-user device) you already lost. Even on the iPhone you could do a jailbreak. You could only make things more difficult, in worst case you would have to open the device and directly access the RAM or something.
Indeed you could personalizes the keys for every user. So you could detect a leaked private key that is widely used and proceed against. Still that wouldn't hinder personal further use of that private key, e.g. for exporting data (similar to breaking DRM).
Why exactly is that bad? Decompiling is a common tool, not only on Android. And however, Android notices that the app is signed differently, so it's still secure.
Is it still the case that the app only uses HTTPS to create a session and plain HTTP for everything else? I remember that was the case about a year ago after using mitmproxy to sniff traffic, although I don't recall HMAC being used to sign requests then. Anyway, I wondered then why nobody had used firesheep to devastating effect, e.g. a bot sitting on an open wifi and posting NSFW images to any account on the network.
Isn't the fact that they are using a simple HMAC-SHA256 hash also a root of the problem?
If instead of using the POST data only to create the hash they added another information, like a the hour of the day. Wouldn't it be way harder for a hacker to actually understand what went into signing the request?
15 comments
[ 2.1 ms ] story [ 71.7 ms ] threadAnyway interesting post.
I'm sure there are additional techniques to obfuscate the private key, but relying on locked down devices isn't possible in the Android ecosystem. You don't need a device at all to perform the steps outlined in the article.
Indeed you could personalizes the keys for every user. So you could detect a leaked private key that is widely used and proceed against. Still that wouldn't hinder personal further use of that private key, e.g. for exporting data (similar to breaking DRM).
If instead of using the POST data only to create the hash they added another information, like a the hour of the day. Wouldn't it be way harder for a hacker to actually understand what went into signing the request?