This is how I reverse engineered the Instagram app + included linux binaries to locate the private key used for signing requests to their private API and therefore allowing access to uploading photos and fewer rate limits.
It posed as a challenge and I was also itnerested in working out how these 3rd party clients actually upload to Instagram's servers.
What signing algorithm does Instagram use?
For all requests to their private API Instagram signs the post data with HMAC-SHA256 and passes this in the parameter signed_body using the format
signed_body=signed.postdata for example
Getting the key for the HMAC-SHA256 hash
Pull the Instagram apk off your device (make sure USB debugging is enabled in Settings->Developer)
adb shell pm path com.instagram.androidto get the path of the Instagram app.
adb pull PATH_FROM_ABOVEto pull the apk.
Decompile the apk using apktool:
./apktool d com.instagram.android.apk
Navigate to the decompiled smali code directory
Find the file that makes requests
grep -r "RequestUtil.java" .
Open that file
Navigate to the lien starting with
.method public static b(Ljava/lang/String;)Ljava/lang/String;
Change the line below from
Two lines below
.line 70insert the following code to log the key (comign from variable v0 which is returned from the
getInstagramStringfunction in the code above):
Save the file and exit nano
Navigate back to the apktool directory
Build the apk
./apktool b com.instagram.android
Navigate to the built apk location
Create a signing key
keytool -genkey -v -keystore android.keystore
Sign the apk
jarsigner -verbose -keystore android.keystore com.instagram.android.apk mykey
Verify the apk
zipalign -f -v 4 com.instagram.android.apk instagram.apk
Push the apk to your device's sdcard
adb -d push instagram.apk /sdcard/instagram.apk
Install the apk on your phone.
Start logcat on your computer
adb -d logcat | grep "LOGGING"
Open the instagram app, login and the private key will be returned.
We can create a simple Ruby app to simulate a login:
Hopefully the login will be successful, you can then request other locations in the private API (sniff the Instagram app to find these endpoints and the required post data.)
This article was created for educational purposes only, obviously Instagram's public API should only ever be used for making requests. You can find me on twitter @Will3942 and you can comment on this article at Hacker News here.