- Jul 2, 2020
- 763
- 539
Snapchat Reverse Engineering - Part 1 - Snapchat Account Creator Bot - API based
This is part 1 of a few planned Snapchat journey threads.
Part 1 covers the creation of a standalone Snapchat account creator bot. Part 2 will cover a different topic.
Goal:
- Develop a standalone Snapchat account creator bot for the mass creation of Snapchat accounts, based on the secret Snapchat API.
Progress:
OOOOOOOOOOOOOOOOOOOOOOOOOOOOOO - around 70 %
0 - - - - - - - - - - - - - - - 50 - - - - - - - - - - - - - - 100
Duration so far:
- more than 6 months of daily work
Specials:
- High throughput, mass creation, up to 20001000 Snapchat account creations per day (!).
- No requirement of connected phones or tablets.
- No requirement of emulators (Google Android, Apple iOS).
- No requirement of browser emulations.
- No usage of the web interfaces at accounts.snapchat.com or web.snapchat.com.
- Based on the reverse engineered secret Snapchat API. [1]
- No requirement of SMS account verifications.
- Account verifications by email API (internal, external by provider). [2]
- No requirement of own hardware (PC, Apple Mac) at home/at the office.
- No headaches about local bandwidth, local power consumption, local air condition, local outages.
- Complete remote server solution (Linux).
- Upscaling by adding more server hardware.
- Management console via browser (setup, monitoring, speed adjustments etc.).
Current situation:
- The automated creation or "mass creation" of Snapchat accounts is the most complicated part at Snapchat since November 2023.
- Most important fact: The source code is NOT for sale. Not even for US$ 1 M. ;-)
- The video shows a SSH "terminal" window under macOS. It's connected via SSH to a remote dedicated Linux server running at a data center. The Snapchat account creator will be started at the Linux console by hand using several command line switches. As you can see, there is no fancy GUI, since everything will be controlled by a browser interface (once set up, everything will run 24/7 in background).
- 3 different people asked me to realize the Snapchat account creator based on Snapchat for Android, because they need the original Snapchat "access tokens" to be imported into their own small Snapchat bots.
- The Snapchat account creator based on Snapchat for iOS still works as of today (June 4th, 2024), but it needs some speed improvements and new workflows (e. g. randomize usernames etc.).
Steps:
[x] Inspect Snapchat 12.8x.x.x in detail. [3] - success
[x] Reverse engineer the secret Snapchat API for Apple iOS. [1] - success
[x] Reverse engineer the secret Snapchat API for Google Android. [1] - success
[x] Bypass the "hard coded" SSL encryption (so called "SSL pinning", therefore now "SSL unpinning"). [4] - success
[x] Inspect all relevant HTTP/2.0 requests. [5] - success
[x] Inspect all "encoded" gRPC Protobuf requests (to the Snapchat servers). [6] [7] - success
[x] Inspect all "encoded" gRPC Protobuf responses (from the Snapchat servers). - success
[-] Research possible hidden HTTP/3.0 requests. [8] - TODO
[-] Research possible hidden WebSockets requests. [9] - TODO
[?] Increase the lifetime of automatically created Snapchat accounts (no early locks or permanent bans). - pending
[?] Lock/ban impact: Connection quality research (data center, residential, rotating residential, 4G/5G). - pending
[?] Lock/ban impact: Email provider quality research (free mailer, Gmail, own domains, disposable email provider). - pending
[?] Lock/ban impact: Device data (readable by Google Android only). - pending
... to be continued
(as of June 4th, 2024)
What doesn't work anymore as of June 2024:
- Currently all Snapchat accounts that you create sort of automated with Android phones by using known automation solutions won't live very long.
- Once you create more than 50 or 100 accounts per day (!) by using proxy servers, data center IP addresses etc. Snapchat will ban them permanently. Sometimes the accounts are just 2 hours alive.
- Before November 2023 Snap Inc. just locked the accounts temporarily, to be unlocked by visiting accounts.snapchat.com.
- Starting end of 2024 Snap Inc. started a sort of new security campaign and became very strict.
- Unfortunately Google allows owners of Android apps to transfer very sensitive device data to them (e. g. device ID, IMEI, WiFi network names, WiFi networks in your area, location data, battery status etc.). That makes it easy for companies like Snap Inc. to detect patters, since you leave a lot of footprints.
- Apple iOS doesn't allow the transfer of device data, so accounts created with Snapchat for iOS have a longer lifetime.
- So the main goal is to detect all possible loop holes at the Snapchat server structure to increase the lifetime of mass created Snapchat accounts.
My toolset:
- IDA Pro for macOS
- Ghidra for macOS
- WireShark for macOS
- 5 different proxy server types by 4 different suppliers (e. g. custom coded C/C++ extensions for Squid)
- my own Protobuf "cracker" (custom coded in C++) for Linux
- vim editor for Linux (I love to code live at the Linux console)
- several Linux servers at the Intranet
- several dedicated Linux servers at different colocation data centers
- special managed Intranet 1 GBit switches (with custom extensions)
- redundant high speed DSL
- several Apple Mac computers at the Intranet (2 iMacs, 2 MacBook Pro, ...)
- 5 Apple iPhones (15 Pro Max, 14 Pro Max, 13 Pro Max, ...)
- 2 Apple iPad Pro
- 12 Samsung Android devices
- ...
My skills:
- Reverse engineering in full-time since 2016
- Full-time bot creator since 2016
- Internet marketing since 20xx
- C/C++ developer in full-time since 20xx
- Apple Swift developer (iOS apps, macOS tools)
- Full stack developer
- Located at West Europe UTC+2
FAQ:
Q: Is this your first Snapchat bot solution?
A: No, I created a little Snapchat bot for daily tasks back in 2021 already. So for logins, sending story posts, sending Snaps (text, images, links), responding to Snaps (text, images, links), adding friends etc. But Snapchat changed their internal API a lot, so the old Snapchat bot didn't work anymore mid of 2023. End of 2023 I started again by reverse engineering the massively changed Snapchat API based on version 12.x.x.x.
Q: Why don't you use Android emulators?
A: The Snapchat servers detect the usage of Android emulators since 2019 or so. The detection part of the Android app is not written in Java (to be decompiled for Android), they use external libraries written in C/C++. So the lifetime of your Snapchat accounts will be reduced, you also may receive temporary locks earlier.
Q: Why don't you use the web interfaces at accounts.snapchat.com and web.snapchat.com?
A: The mass account creation at accounts.snapchat.com or web.snapchat.com didn't work for me. They always asked for additional SMS verifications. This doesn't matter you create only 10 or 20 Snapchat accounts. But what about the costs for 2000 Snapchat accounts created every single day? It's very easy to run browser emulations, but how would you scale up your business to run 2000 Snapchat accounts daily, each with 500+ friends, and handle incoming Snaps to be immediately answered? Besides the fact that every message you will send will be marked with "Web". And - let's be honest - that's a real conversion killer for whatever leads you want to generate.
Q: How long would it take me to learn all basics (SSL unpinning, GRPC, Protobuf, disassembling external libraries, rebuilding HTTP/2.0 GRPC requests)?
A: Even if you are an experienced full-time developer it would take you months. Snapchat implemented some nice "traps" to make it as complicated as possible for starters. So it could happen that you fail for 2 or 3 weeks calling a certain API endpoint and one day you will find the permanent solution.
Q: Many people write about SSL unpinning, decompilers and such at the net. It doesn't seem that complicated to me.
A: Besides the fact that Snap Inc. reads/watches such tutorials also, they love to take them down. This happened many times at GitHub starting with "Casper". Afterwards they patched their servers immediately. So you should be aware that most still existing tutorials are outdated or kept short intentionally.
Again I have to say: The source codes are NOT for sale. Not even for US$ 1 M. ;-)
And now it's up to you:
- Which of the above topics you would like to be covered in detail?
- Do you need screenshots for certain things (e. g. a typical GRPC Protobuf request in binary/hex/real, a typical Ghidra session)?
- What's your personal experience regarding the lifetime of mass created Snapchat accounts?
- Please let me know your thoughts, ideas, worries, experience.
Anyways, this journey thread will be updated to inform you about success and fails, my progress, results of my test cases and to answer your questions.
Short updates (random daily work) will be posted at my BHW profile: https://www.blackhatworld.com/members/reverseengineering.1413206/
So maybe you should follow me here at BHW to keep you up-to-date? https://www.blackhatworld.com/members/reverseengineering.1413206/follow
Some easy terms have been used to make it easier for non-professionals to read and understand the concept. For example: I wrote "access tokens", "hard coded" or "encoded" although there is much more behind.
(I am not native English/American, so please excuse any spelling or grammar mistakes.)
Thank you to @reaaski for his inspiration to create this journey thread finally. ;-)
Side notes (linked from above):
[1] The secret, hidden, internal Snapchat API has nothing to do with the official Snapchat Marketing API: https://developers.snap.com There is no documentation of the internal Snapchat API, so reverse engineering is required to discover the background.
[2] The email verification by real, permanently available email addresses is important. Because once you switch your connection type, your device (if you do real life logins) or Snapchat detects another change, you will be forced to re-verify your account with a code send by email. So the usage of disposable email providers makes no sense.
[3] Snap Inc. reads StackOverflow, GitHub and also scans for new "how to" tutorials regarding their secret Snapchat API. They took down many repositories at GitHub already, starting with "Casper". So I don't want to reveal the real Snapchat app version I target at the moment. Otherwise they could patch some loop holes I found. For the same reason I didn't release code snippets at GitHub or StackExchange.
[4] SSL pinning: (follows, I didn't find a noob-friendly explanation so far)
[5] HTTP/2.0 aka SPDY: https://en.wikipedia.org/wiki/HTTP/2
[6] gRPC (Google Remote Procedure Calls): https://en.wikipedia.org/wiki/GRPC
[7] Protobuf (Protocol Buffers): https://en.wikipedia.org/wiki/Protocol_Buffers
[8] HTTP/3.0 aka QUIC: https://en.wikipedia.org/wiki/HTTP/3
[9] WebSockets: https://en.wikipedia.org/wiki/WebSocket
Short updates (random daily work) will be posted at my BHW profile: https://www.blackhatworld.com/members/reverseengineering.1413206/
So maybe you should follow me here at BHW to keep you up-to-date? https://www.blackhatworld.com/members/reverseengineering.1413206/follow
This is part 1 of a few planned Snapchat journey threads.
Part 1 covers the creation of a standalone Snapchat account creator bot. Part 2 will cover a different topic.
Goal:
- Develop a standalone Snapchat account creator bot for the mass creation of Snapchat accounts, based on the secret Snapchat API.
Progress:
OOOOOOOOOOOOOOOOOOOOOOOOOOOOOO - around 70 %
0 - - - - - - - - - - - - - - - 50 - - - - - - - - - - - - - - 100
Duration so far:
- more than 6 months of daily work
Specials:
- High throughput, mass creation, up to 2000
- No requirement of connected phones or tablets.
- No requirement of emulators (Google Android, Apple iOS).
- No requirement of browser emulations.
- No usage of the web interfaces at accounts.snapchat.com or web.snapchat.com.
- Based on the reverse engineered secret Snapchat API. [1]
- No requirement of SMS account verifications.
- Account verifications by email API (internal, external by provider). [2]
- No requirement of own hardware (PC, Apple Mac) at home/at the office.
- No headaches about local bandwidth, local power consumption, local air condition, local outages.
- Complete remote server solution (Linux).
- Upscaling by adding more server hardware.
- Management console via browser (setup, monitoring, speed adjustments etc.).
Current situation:
- The automated creation or "mass creation" of Snapchat accounts is the most complicated part at Snapchat since November 2023.
- Most important fact: The source code is NOT for sale. Not even for US$ 1 M. ;-)
- The video shows a SSH "terminal" window under macOS. It's connected via SSH to a remote dedicated Linux server running at a data center. The Snapchat account creator will be started at the Linux console by hand using several command line switches. As you can see, there is no fancy GUI, since everything will be controlled by a browser interface (once set up, everything will run 24/7 in background).
- 3 different people asked me to realize the Snapchat account creator based on Snapchat for Android, because they need the original Snapchat "access tokens" to be imported into their own small Snapchat bots.
- The Snapchat account creator based on Snapchat for iOS still works as of today (June 4th, 2024), but it needs some speed improvements and new workflows (e. g. randomize usernames etc.).
Steps:
[x] Inspect Snapchat 12.8x.x.x in detail. [3] - success
[x] Reverse engineer the secret Snapchat API for Apple iOS. [1] - success
[x] Reverse engineer the secret Snapchat API for Google Android. [1] - success
[x] Bypass the "hard coded" SSL encryption (so called "SSL pinning", therefore now "SSL unpinning"). [4] - success
[x] Inspect all relevant HTTP/2.0 requests. [5] - success
[x] Inspect all "encoded" gRPC Protobuf requests (to the Snapchat servers). [6] [7] - success
[x] Inspect all "encoded" gRPC Protobuf responses (from the Snapchat servers). - success
[-] Research possible hidden HTTP/3.0 requests. [8] - TODO
[-] Research possible hidden WebSockets requests. [9] - TODO
[?] Increase the lifetime of automatically created Snapchat accounts (no early locks or permanent bans). - pending
[?] Lock/ban impact: Connection quality research (data center, residential, rotating residential, 4G/5G). - pending
[?] Lock/ban impact: Email provider quality research (free mailer, Gmail, own domains, disposable email provider). - pending
[?] Lock/ban impact: Device data (readable by Google Android only). - pending
... to be continued
(as of June 4th, 2024)
What doesn't work anymore as of June 2024:
- Currently all Snapchat accounts that you create sort of automated with Android phones by using known automation solutions won't live very long.
- Once you create more than 50 or 100 accounts per day (!) by using proxy servers, data center IP addresses etc. Snapchat will ban them permanently. Sometimes the accounts are just 2 hours alive.
- Before November 2023 Snap Inc. just locked the accounts temporarily, to be unlocked by visiting accounts.snapchat.com.
- Starting end of 2024 Snap Inc. started a sort of new security campaign and became very strict.
- Unfortunately Google allows owners of Android apps to transfer very sensitive device data to them (e. g. device ID, IMEI, WiFi network names, WiFi networks in your area, location data, battery status etc.). That makes it easy for companies like Snap Inc. to detect patters, since you leave a lot of footprints.
- Apple iOS doesn't allow the transfer of device data, so accounts created with Snapchat for iOS have a longer lifetime.
- So the main goal is to detect all possible loop holes at the Snapchat server structure to increase the lifetime of mass created Snapchat accounts.
My toolset:
- IDA Pro for macOS
- Ghidra for macOS
- WireShark for macOS
- 5 different proxy server types by 4 different suppliers (e. g. custom coded C/C++ extensions for Squid)
- my own Protobuf "cracker" (custom coded in C++) for Linux
- vim editor for Linux (I love to code live at the Linux console)
- several Linux servers at the Intranet
- several dedicated Linux servers at different colocation data centers
- special managed Intranet 1 GBit switches (with custom extensions)
- redundant high speed DSL
- several Apple Mac computers at the Intranet (2 iMacs, 2 MacBook Pro, ...)
- 5 Apple iPhones (15 Pro Max, 14 Pro Max, 13 Pro Max, ...)
- 2 Apple iPad Pro
- 12 Samsung Android devices
- ...
My skills:
- Reverse engineering in full-time since 2016
- Full-time bot creator since 2016
- Internet marketing since 20xx
- C/C++ developer in full-time since 20xx
- Apple Swift developer (iOS apps, macOS tools)
- Full stack developer
- Located at West Europe UTC+2
FAQ:
Q: Is this your first Snapchat bot solution?
A: No, I created a little Snapchat bot for daily tasks back in 2021 already. So for logins, sending story posts, sending Snaps (text, images, links), responding to Snaps (text, images, links), adding friends etc. But Snapchat changed their internal API a lot, so the old Snapchat bot didn't work anymore mid of 2023. End of 2023 I started again by reverse engineering the massively changed Snapchat API based on version 12.x.x.x.
Q: Why don't you use Android emulators?
A: The Snapchat servers detect the usage of Android emulators since 2019 or so. The detection part of the Android app is not written in Java (to be decompiled for Android), they use external libraries written in C/C++. So the lifetime of your Snapchat accounts will be reduced, you also may receive temporary locks earlier.
Q: Why don't you use the web interfaces at accounts.snapchat.com and web.snapchat.com?
A: The mass account creation at accounts.snapchat.com or web.snapchat.com didn't work for me. They always asked for additional SMS verifications. This doesn't matter you create only 10 or 20 Snapchat accounts. But what about the costs for 2000 Snapchat accounts created every single day? It's very easy to run browser emulations, but how would you scale up your business to run 2000 Snapchat accounts daily, each with 500+ friends, and handle incoming Snaps to be immediately answered? Besides the fact that every message you will send will be marked with "Web". And - let's be honest - that's a real conversion killer for whatever leads you want to generate.
Q: How long would it take me to learn all basics (SSL unpinning, GRPC, Protobuf, disassembling external libraries, rebuilding HTTP/2.0 GRPC requests)?
A: Even if you are an experienced full-time developer it would take you months. Snapchat implemented some nice "traps" to make it as complicated as possible for starters. So it could happen that you fail for 2 or 3 weeks calling a certain API endpoint and one day you will find the permanent solution.
Q: Many people write about SSL unpinning, decompilers and such at the net. It doesn't seem that complicated to me.
A: Besides the fact that Snap Inc. reads/watches such tutorials also, they love to take them down. This happened many times at GitHub starting with "Casper". Afterwards they patched their servers immediately. So you should be aware that most still existing tutorials are outdated or kept short intentionally.
Again I have to say: The source codes are NOT for sale. Not even for US$ 1 M. ;-)
And now it's up to you:
- Which of the above topics you would like to be covered in detail?
- Do you need screenshots for certain things (e. g. a typical GRPC Protobuf request in binary/hex/real, a typical Ghidra session)?
- What's your personal experience regarding the lifetime of mass created Snapchat accounts?
- Please let me know your thoughts, ideas, worries, experience.
Anyways, this journey thread will be updated to inform you about success and fails, my progress, results of my test cases and to answer your questions.
Short updates (random daily work) will be posted at my BHW profile: https://www.blackhatworld.com/members/reverseengineering.1413206/
So maybe you should follow me here at BHW to keep you up-to-date? https://www.blackhatworld.com/members/reverseengineering.1413206/follow
Some easy terms have been used to make it easier for non-professionals to read and understand the concept. For example: I wrote "access tokens", "hard coded" or "encoded" although there is much more behind.
(I am not native English/American, so please excuse any spelling or grammar mistakes.)
Thank you to @reaaski for his inspiration to create this journey thread finally. ;-)
Side notes (linked from above):
[1] The secret, hidden, internal Snapchat API has nothing to do with the official Snapchat Marketing API: https://developers.snap.com There is no documentation of the internal Snapchat API, so reverse engineering is required to discover the background.
[2] The email verification by real, permanently available email addresses is important. Because once you switch your connection type, your device (if you do real life logins) or Snapchat detects another change, you will be forced to re-verify your account with a code send by email. So the usage of disposable email providers makes no sense.
[3] Snap Inc. reads StackOverflow, GitHub and also scans for new "how to" tutorials regarding their secret Snapchat API. They took down many repositories at GitHub already, starting with "Casper". So I don't want to reveal the real Snapchat app version I target at the moment. Otherwise they could patch some loop holes I found. For the same reason I didn't release code snippets at GitHub or StackExchange.
[4] SSL pinning: (follows, I didn't find a noob-friendly explanation so far)
[5] HTTP/2.0 aka SPDY: https://en.wikipedia.org/wiki/HTTP/2
[6] gRPC (Google Remote Procedure Calls): https://en.wikipedia.org/wiki/GRPC
[7] Protobuf (Protocol Buffers): https://en.wikipedia.org/wiki/Protocol_Buffers
[8] HTTP/3.0 aka QUIC: https://en.wikipedia.org/wiki/HTTP/3
[9] WebSockets: https://en.wikipedia.org/wiki/WebSocket
Short updates (random daily work) will be posted at my BHW profile: https://www.blackhatworld.com/members/reverseengineering.1413206/
So maybe you should follow me here at BHW to keep you up-to-date? https://www.blackhatworld.com/members/reverseengineering.1413206/follow
Last edited by a moderator: