Using Proxyman to reverse engineer the Instagram private API

Introduction

In recent years social media platofrms like Instagram have become ingrained in our daily routines and have a tremendous impact on our society. To utilize these platforms to their full potential one might consider automating certain workflows. In this example we will look at Instagram. While Instagram's official API is available for developers, it only provides access to a very limited set of functions. However, with the help of various reverse engineering techniques, developers can monitor Instagram's private API and unlock additional features. In this article we will explore how to patch the Instagram APK and use Proxyman, a popular proxy tool, to reverse engineer the Instagram private API. By the end of this article, you will have a better understanding of how to patch an APK and how to leverage reverse engineering techniques to peek into APIs they dont want you to see.

Enable Whitehat settings on Facbook Profile

(This step is not neccessarry because we are patching the APK and we will be overriding the emulator certificate but I included it anyways)

1. Goto the Researcher Settings for your account and select following options.

Patching the Instagram APK

Approaches

When I started this project I had to choice of how to approach the problem, that the Instagram app locks the certificate and wont let you use your own right out of the box. There are multiple solutions that I have tried: you can patch the shared object libraries, however this is quite complicated for beginners and the decompiled code varies from version to version. The easier solution is to open, patch and rebuild the APK yourself.

Opening the APK

We want to extract the contents of the APK, modify its content and rebuild it so we can use the patched app on our own device. When operation on APK applications I like to use APKLab, a VS Code extension that helps with basic functionalities.

1. Dowload the APK and open the folder in VS Code. It is important to use this version, as newer versions have restrictions, that will no work for our usecase. Also make sure that the distribution matches the one you use for your emulator. In my case its x86.
2. To open the APK, just open the folder where you saved it to in VS code and press CTRL+SHIFT+P, and select APKLab: Open an APK and uncheck --only-main-classes.

Patching the APK

Now that we have to contents of the Instagramm APK we can start to modify it so it fitts our usecase. We will have to modify the network_security_config.xml, AndroidManifext.xml and edit/delete a few entries, that prevent the app from rebuilding.

1. Delete res/xml/fb_network_security_config.xml
2. Create the file res/xml/network_security_config.xml with the content:

<network-security-config>
    <domain-config>
        <domain includeSubdomains="true">i.instagram.com</domain>
        <trust-anchors>
            <certificates src="user" />
            <certificates src="system" />
        </trust-anchors>
    </domain-config>

    <debug-overrides>
        <trust-anchors>
            <certificates src="user" />
            <certificates src="system" />
        </trust-anchors>
    </debug-overrides>

    <base-config cleartextTrafficPermitted="true">
        <trust-anchors>
            <certificates src="system" />
        </trust-anchors>
    </base-config>
</network-security-config>

3. Replace fb_network_security_config in res/values/private.xml and AndroidManifest.xml, with network_security_config
4. Remove line 4564 item name="android:textColorHint">@color/igds_tertiary_text/item> in res/values/styles.xml
5. Delete assets/drawables.bin

Rebuilding the APK

Now that we have patched the APK we can rebuild it to flash it on our device. This step is really simple.

1. Right-click apktool.yaml and select APKLab: Rebuild the APK and uncheck --use-aapt2

Setting up the Emulator

The easiest way to set up an Android Emulator for our usecase is Android Studio. In this step we will download Android Studio and set up a new emulated device.

1. Dowload Android Studio and install it.
2. Create a new Android Studio Project with a Basic Activity.
3. To create a new Android Emulator, first open the Device Manager on the top right of the screen. Then create a device with following Specifications: Release: Q, API Level: 29, ABI: x86, Target: Android 10.0
4. To flash our patched APK, simply start the Device and drag and dropp the patched APK into the Device. (The patched APK is in the dist/ folder)
5. Now open the patched app and use Login with Facebook and sign into your account where you enabled the whitehat settings.
6. Go to your Profile, Settings, Internal, Whitehat Settings and enable following options: (This is not neccessarry because we are overriding the emulator certificate but I included it anyways)

Using Proxyman to intercept encrypted traffic

Now that we are ready to intercept and decrypt the traffic that the Instagram app uses to communicate with its private API we can setup Proxyman and capture the requests.

1. Dowload Proxyman and install it.
2. Enable the following domains in the Proxyman Tools/SSL Proxying List

3. Install the Certificate on your Emulator Certificate/Install Certificate on Android/Emulators and hit Override Emulator. Make sure you have all the dependencies installed and that the Emulator is running.
4. If you have done everything correctly, you should see the traffic in your Proxyman app when using Instagram on the Emulator!

Conclusion

In conclusion I can say that patching the Instagram APK and using Proxyman to reverse engineer the Instagram private API can be a powerful tool for those looking to gain more insights and control over the Instagram platform and develop their own applications and automations ontop of it. While this process does involve some basic technical expertise and some potential risks, it can provide valuable data and insights that are otherwise hidden behind encryption. It's important to note that reverse engineering and API with malicious intent is illegal and can have serious consequences. If you're considering this process be sure to proceed with caution and always prioritize ethical and legal practices. Overall I dont consider the process to be overly difficult and anyone should be able to follow the steps I described above. Be sure to leave a comment and also check out my other posts for more content like this!