-
Notifications
You must be signed in to change notification settings - Fork 203
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add instagram app support #82
base: main
Are you sure you want to change the base?
Conversation
Evgenii Devisok seems not to be a GitHub user. You need a GitHub account to be able to sign the CLA. If you have already a GitHub account, please add the email address used for this commit to your account. You have signed the CLA already but the status is still pending? Let us recheck it. |
|
||
Interceptor.attach(f, { | ||
onLeave: function (retvalue) { | ||
retvalue.replace(1); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This is definitely interesting, but it's tricky - right now all the existing scripts allow TLS interception just by the one extra MitM CA, but this line disables TLS validation completely for this code 😬
That creates some potential security problems. Even if you're intercepting Instagram traffic yourself, you probably don't want the risk that anybody on your local network could intercept you and steal your Instagram account.
All the other hooks handle this by using related APIs to actually validate the certificate, and just trust the one extra cert that's configured. That doesn't have this problem, but I think that's impractically difficult here since there's no public code & docs available for libliger anywhere I can see. We can't easily tell what certificate this function is handling.
I think there's probably a route through here. What do you think about adding a ENABLE_INSECURE_HOOKS
variable in config.js, defaulting to false, and then:
- This hook checks that variable, inside this function here.
- If
false
, the first time the hook runs, it prints a "Insecure hook required" message with instructions: setENABLE_INSECURE_HOOKS=true
in config.js, but be aware that this is insecure and you could be intercepted by others on your network. - If
true
, run this line as here and disable TLS.
@@ -56,6 +61,23 @@ TARGET_LIBS.forEach((targetLib) => { | |||
} | |||
}); | |||
|
|||
function hook_proxygen_SSLVerification(library) { | |||
const functionName = "_ZN8proxygen15SSLVerification17verifyWithMetricsEbP17x509_store_ctx_stRKNSt6__ndk112basic_stringIcNS3_11char_traitsIcEENS3_9allocatorIcEEEEPNS0_31SSLFailureVerificationCallbacksEPNS0_31SSLSuccessVerificationCallbacksERKNS_15TimeUtilGenericINS3_6chrono12steady_clockEEERNS_10TraceEventE"; |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Any idea how consistent this name is? It looks like the kind of thing that might change frequently between releases.
Can we match against this instead, with something like *proxygen*SSLVerification*verifyWithMetrics*FailureVerificationCallbacks*
? That seems likely to be sufficiently specific but much less likely to change in future.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I don't know, this method name is taken from libliger.so. It works.
Added facebook proxygen ssl verifiction hook. Instagram wouldn't work without it.