Workflow to bypass cert-pinning #18

MrAn0nym · 2023-08-08T16:16:33Z

MrAn0nym
Aug 8, 2023

Wondered which workflows you use to reverse engineer the Bereal…
Atm I'm mainly smali-modding the apk to remove cert pinning and using mitm proxy the intercept the traffic
Do you know if there are more efficient ways to do this?

Lukas1h · 2023-08-08T20:27:24Z

Lukas1h
Aug 8, 2023

Not sure about android, but I was able to bypass the certificate pinning by injecting frida + objection into the decrypted ipa.

I believe you can do the same with android APKs.

Give this a read.

0 replies

fowled · 2023-09-09T14:36:20Z

fowled
Sep 9, 2023

Hey y'all!

I first stumbled upon this repository this summer, when I too wanted to bypass certificate pinning on an Android emulator. I didn't quite find the solution quickly, but after several hours of trying different methods and scratching my hair, I found a way!

Here's the link to an article I just finished writing about that: https://fowled.gitbook.io/bereal/articles/hacking-bereal

Not sure about android, but I was able to bypass the certificate pinning by injecting frida + objection into the decrypted ipa.

I believe you can do the same with android APKs.

Give this a read.

Actually, Frida doesn't seem to work on newer versions of the BeReal app on Android. Every time I ran the command to boot up the Frida server (not even injecting anything like a certificate unpinner), BeReal would just crash over and over, with the following error: Process crashed: Bad access due to protection failure.

That being said, I have only tested this with the inject mode and not the gadget one, as it seemed more complex.

6 replies

NeedNot Sep 13, 2023

I have been in the same boat, a long time ago i was able to just use http toolkit on a laptop running androix x86, it would work with get requests but the app went into lock down mode and stopped sending put requests and then later i went back to try again and it wouldn't do anything so i just copied the urls from other repos but this is nice you found a way but I am still having problems with your method

first off

mine says N/A which means non rooted, I am using the exact same setup as you. How did you root it or get it to work

fowled Sep 15, 2023

Hey @NeedNot, I've been incredibly busy with school last week and will probably be for the next couple days, but I'm gonna do my best to share a screen recording of the whole process soon!

Though, I don't remember doing anything special to root the emulator apart from installing the Magisk APK and rebooting

U14-dev Dec 14, 2023

Yeah same here, wanted to take a look at some new endpoints but just installing the magisk apk like mentioned in your method is not working on adb for me. Any further ideas how to get it working? Was way easier before the whole cert pinning shit... :D

NeedNot Dec 14, 2023

I got working by using RootAVD, not sure why it worked all the sudden but it was actually super easy. ran 1 command then it worked, and root avd sets up magisk for you.

as for the the endpoints I already did it yesterday.

get upload urls for a BTS post (returns 2 webps and 1 mp4)
https://mobile.bereal.com/api/content/posts/multi-format-upload-url?mimeTypes=image%2Fwebp&mimeTypes=video%2Fmp4

then it's the same process to upload the content and to post a bts bereal add this to the json of a normal post

    "btsMedia": {
    "bucket": "storage.bere.al",
    "path": "",
    "width": 1500,
    "height": 2000,
    "mediaType": "video"
  },

edit: FYI the only limit for the video is it has to be under 5mb. no time limit so yesterday I literally posted a 1 minute bts

U14-dev Dec 14, 2023

Uhh big thanks you just saved my day. Will have a look at rootavd and hopefully get it working for myself

Workflow to bypass cert-pinning #18

Uh oh!

Replies: 2 comments · 6 replies

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Replies: 2 comments 6 replies