kik-bot-api-unofficial
kik-bot-api-unofficial copied to clipboard
tomer8007
About kik certs, auth and group joining
Hi, i find some information about kik:auth:cert from issue #62
I found structures: (Account adrianaabram23:1223344): -Pub key on auth: https://pastebin.com/GnTA5B3b (check kik.auth.gen.pub.key) -Some private put requests after auth: https://pastebin.com/PXbHpCgt -When i open group searching: https://pastebin.com/tchLsh7K (check kik.auth.manager.store.signature) -Some cryptographic: https://pastebin.com/aFpt4Dgu
I need help to understand how both parameters are created and what they depend on
P.S.
Update about group joining:
the join method does not always return 400 error on one of the tested accounts there was no error - just an empty answer body in this case, the account did join the groups, but I did not do any additional actions
on the remaining 500/400 error if an error occurred - no accounts was entered into the groups
Hmm, looks like a useful information.
But what are those PUT requests? Are they HTTP requests? In general, how did you generate this data and what does it represent?
I found it with rooted Android and this feature: https://github.com/ac-pm/Inspeckage
It is not http requests,
The only requests that occur in kik - image uploads, as well as kik metrics
(https://clientmetrics-augmentum.kik.com/clientmetrics/augmentum/v1/data?flattened=true)
It is HTTP:
All the information I sent before - Kik Shared preferences:
You can do this with any Android Emulator - i use Genymotion I can give a link to the guide, how to configure it
I for three days tried to intercept the traffic with the help of mitmproxy and sslsplit - nothing happened, so for me it's a great option: D
Ok, new information
Maybe it is "signature" (i don't know):
This is interesting but we still don't know what determines whether joining a group will fail or succeed.
error type="cancel" code="4244" full xmlns="urn:ietf:params:xml:ns:xmpp-stanzas" full error iq It happens, if group is full
The SafetyNet proto file clearly explains how Kik chose to use it, thanks. My bet regarding how it works is that:
- When you create an acount from the phone, by default joining a group should work
- Under some circumstences (which I don't know), Kik decides to mark an account as needing additional verification
- When an account is getting marked, joining a group returns a 400 error unless you verify it.
- The way to verify accounts is through SafetNet
- As much as I have tried with other apps, bypassing/simulating SafetyNet can only work reliably using a real device. In case you're interested there are many discussions on SafetyNet on the web
@CheshireCaat Do you know if that's somewhat correct?
Hello ! Maybe we can improve on this subject with this ? => https://github.com/tomer8007/kik-bot-api-unofficial/blob/e58bdfb31f998b2f08c00bcba09c6245a0000718/kik_unofficial/protobuf/protobuf_source/antispam/safetynet/v1/safetynet_service.proto
SafetyNet is useless for the following reasons:
You can "pass" the check by logging in on a phone which will pass the challenge.
You can then extract the jid /android-id / device-id values and use it to authenticate on a client, therefore you are on a client and authenticated with a previously "verified" SafetyNet response.
Therefore Kik does not use it in pretty much any way in validating you for joining groups because I assume they also would know about this. It matters how you connect to Kik instead, at the protocol level.
