Thank you all for the congrats, they mean a ton and my wife and I are loving reading them! ❤ Answering two common questions here: 1) Deployment: I just used Sideloadly for other people too. This was for < 10 phones - again, very small wedding! I was beating myself up during the edit when realizing I didn't talk about this at all. With more heads up, I would've tried to collect UDIDs from people so that I could adhoc-sign a build, and then host it somewhere with a QR code. I'm also curious if adding folks as internal TestFlight testers would have been a viable strategy, though getting through the initial Apple review would have been... tricky, maybe. I'm really curious if other people have ideas that would work on a larger scale here, please let me know. 2) Why not proxy requests at the network level: I think this is a totally viable strategy. As a couple people pointed out throughout the comments, you'd still need to trust a root certificate on each phone since these are HTTPS requests, but that's not much harder than installing a custom app. I went the custom app route for a couple reasons (didn't want to deal with network stuff on the day of the wedding, didn't want to interfere with people's _actual_ NYT apps, wanted to customize the UI anyways, and this sort of modification is just more fun for me), but I think this is totally viable.
@bscheirman2 ай бұрын
so you left out the actual hard part -- how did you convince all your future in-laws to trust you with their phone for even 30 seconds ?!
@valentinthevoz7776Ай бұрын
@@howiieb Wait, really? Then why does he need to compile the framework and rebuild the app on the phone using sideloadly?
@howiiebАй бұрын
@@valentinthevoz7776 I think I missed something badly there.
@samcates435Ай бұрын
The whole time, I was just waiting to find out how he got the modified version onto all their phones but he never said.
@brycedotcoАй бұрын
Convincing the in-laws is easy - convincing my own family members (who grew up with my iPhone antics) is harder! 😛
@beetaylor717Ай бұрын
Some techies at NYT saw some very strange Sentry errors on the day you filmed this
@zoellazayce6796Ай бұрын
is it possible to block people from doing this?
@JayLooneyАй бұрын
@@zoellazayce6796 It's possible to attempt blocking people from doing a lot of things, but if you're a motivated engineer with physical access to a device, it's pretty much not possible to stop you from doing whatever you want.
@LukeIsASmurfАй бұрын
@@zoellazayce6796I guess obfuscation? It'd be incredibly hard and not worthwhile. Of course, obfuscation is still not perfect, but it's the best you'll get.Plus, you're hopefully a good person and wouldn't do such a thing.
@OrangeYTT25 күн бұрын
@@zoellazayce6796API obfuscation and encrypted response are a start, but it can only really be mitigated.
@kibbewater2 ай бұрын
Congratulations on getting married! I absolutely love your content, there aren't many people who go this in-depth into iOS workings and how to modify it. There are no other creators who provide such an easy format to follow with and with this level of quality. Keep up the amazing work!
@tiojoe_Ай бұрын
Congratulations! Every time I watch, it's like a refreshing breath of fresh air. Your content is absolutely mesmerizing, consistently delivering creativity and inspiration. Keep up the outstanding work - it's a joy to follow along!
@JollyRompingАй бұрын
Wait- tell me about the crème brûlée
@iamDani3l2 ай бұрын
congratulations man! :) I also remember when you posted a pic of your wordle clone (back before they were acquired by NYT) that changed the color of iOS’s native keyboard keys as you played (I still want it 😂)
@brycedotcoАй бұрын
I can't believe you remember that! That was a fun one - I gotta check if I still have the code for that anywhere. IIRC it might have been from before keyboards were rendered in a separate process, so would be a lot harder now if so? But I wonder if I'm wrong & that is still viable!
@downthecrop2 ай бұрын
Congratulations homie
@someonesalt5084Ай бұрын
Absolutely love your content, congrats on your wedding! Love the technical knowledge in ur vids and how you explain it so clearly
@ThrowawayAccountToCommentАй бұрын
Congrats, this was really interesting, even as an android dev !
@mantasdydxАй бұрын
Just wanna say that I am a junior dev who Is still learning a lot but this video was both fun to watch and easy to understand! Congrats on the wedding and good stuff man
@cooldude3010Ай бұрын
A good husband and an even better iOS developer. Congrats mate.
@SrKinko2 ай бұрын
Very cool! How did you manage deploying your changes to your family members' devices?
@SrKinko2 ай бұрын
@@lightningdev1 Yeah I'm not sure, that's why I was asking.
@matsuu11552 ай бұрын
Also wondering this
@Surasia2 ай бұрын
I assume they simply used sideloadly on all devices, it's definitely possible in a short time with just family members.
@nohs8776Ай бұрын
since hes a ios dev im guessing that he pays the $100 for the development program so he probably just used testflight for the least friction
@tdrg_Ай бұрын
@@nohs8776TestFlight also goes through App Review. It was likely ad-hoc distribution (the itms-services thing)
@SonyTheakanath2 ай бұрын
Bryce it's heartwarming to see your content. Hope you're doing well.
@ryanmoore72142 ай бұрын
Echoing your sentiment Sony! Hope you’re both doing well.
@brycedotcoАй бұрын
Sony!! My original iOS partner in crime - hope you're doing great man ❤ And Ryan, same goes to you! We all gotta catch up next time we're in the same area!
@SeedxАй бұрын
Sorry if I missed the reasoning, but why not just bring a router and have a custom DNS server that maps that API FQDN to your own server which sends out the modified json? That way all everyone has to do is connect to your router
@gabealbert493Ай бұрын
It wouldn't work because the URLs are using SSL. If you self-signed a certificate for NYTimes, no device would accept it unless you added it. Then again, I have no idea how he got this modified app on everyone's device either.
@Max_G4Ай бұрын
@@gabealbert493 That at least wouldn't require this to do double the work with making an Android patch too. Or just locking those that don't have iPhones out
@MattGrayYESАй бұрын
That was really interesting, and well explained: I could understand what was going on even though I’ve barely done any Mac/iOS programming. I will however add myself to the list of people asking how you managed to deploy the app without rousing suspicion.
@MrRonanX2 ай бұрын
Wow! It's super interesting! How did you install this modified version of the app on your family's devices?
@stinkytobyАй бұрын
@@howiieb That's called a man in the middle attack and HTTPS protects against that, unless you set up a Proxy on each of the phones, or add your own certificate to the phones otherwise (Also from other comments, apparently the NYTimes app uses certificate pinning (i.e. checking against a hard-coded certificate, I think) which means even that wouldn't work) Also if it was done by intercepting the network requests at the non-client side, the entire rest of the video would be pointless :p
@sarah-voАй бұрын
I'm don't do much of iOS development but maybe he could be using TestFlight?
@cmatrix67202 ай бұрын
Congratulations for the wedding!!!🥳I love your content. Please keep doing everyday reverse-engineering stuff 🙏 I learn a lot
congrats on the wedding!! also your videos are awesome, ive tried to recreate some of this via android debugger, so thanks!
@yuanhuang6821Ай бұрын
Congratulations man, another wonderful journey begins!
@Litleevy2 ай бұрын
Congrats bro!! Ive been waiting for a new video! Keep posting
@justonefraАй бұрын
I'm kind of confused why, if you just had to load one version of the puzzle with this setup, it wouldn't have been viable to just set all ids as a future still unused value (e.g. 99999) so you wouldn't have to risk the random generator returning a previously loaded id (because the initial range you set it to generate was including the actual puzzle range) and you wouldn't have had to process the partial path redirecting all the puzzle results (it would've also been nice to check in the active.json proxy if the requested date was the wedding date or a date previous to that to avoid issues if a guest forgot to restore the regular version of the app). Maybe I'm just missing some context or it was an intentional choice. Loved the video tho
@brycedotcoАй бұрын
Great question / callout here - the reason for the randomness each time was so that the puzzles wouldn't be cached during development while I was iterating on them. But I think you're right that that opens up some risk of it actually overlapping with a real puzzle that had already been pulled down and cached. Using a range that didn't overlap with real puzzle ids would have been smarter here (or at least, trying that first!) For the last point here - I didn't go into this much during the video (totally should have), but this app used a different bundle ID than the real NYT Games app, so was installed side-by-side with the original - so either way this would only cause issues during development, the actual version would work fine even if a real puzzle id was picked, since there would be no cached puzzles already. But still a great callout since this would've caused a lot of confusion for me in development if a bad ID was picked!
@Skle2 ай бұрын
Congratulations on the wedding Bryce!
@gabrielespilotricavaiola9324Ай бұрын
Congratulations, man! This video is mind-blowing. Can’t wait to learn more from you!
@JPKloess17 күн бұрын
It's nice to know someone besides me still has an active wordle group.
@meco2 ай бұрын
This deserves 100x more views. Congratulations on getting married!
@mathesonstepАй бұрын
How did you get everyone to sideload the app?
@davidrichey2034Ай бұрын
Awesome! I learned a ton, thanks for sharing!
@spreen_coАй бұрын
seeing the title i didn’t expect to learn anything from this, but I did! seven years of ios development and I had no idea these apis existed 😄
@fgaryАй бұрын
dude this was sick! great video
@Crates-MediaАй бұрын
Dude, you are a total boss. I'm inspired, especially with my own wedding coming up. Brilliant idea. Of course, when I do it, I'll be using a MITM attack and poisoning everyone's DNS so it's a surprise.
@Crates-MediaАй бұрын
Very smooth, debonair vibes you're giving off, Mr. Handsome Guy who's deliberately showing off his hacking skills skills in a Tuxedo. ;-) Rockin' like a "James Bond, if he lived long enough for his juevos to be preserved in carbonite and deposited in Ms. Bond's purse" thing.
@unblockablАй бұрын
I love this channel! And congrats!
@oskarristolangАй бұрын
this is some of the s-tier content on this platform
@p8tgames2 ай бұрын
the joke at the start deserves gold
@sarah-voАй бұрын
Very cool! I'm tempted to do something similar for my future wedding lol
@odebekАй бұрын
Congrats, this was super cool to follow along.
@trainboy20192 ай бұрын
Congratulations!🎉
@pedrohkpiano2 ай бұрын
Congratulations man, enjoy!
@phila9966Ай бұрын
Congratulations Bryce! Love your content. Just a small correction: iOS < android everytime (ask the Mrs 😜). Let the engagement in the replies feed the YT algorithm
@quadrupledamage22 күн бұрын
14:41 "Division would trip it up" LMAO
@lampree2 ай бұрын
I love learning reverse engineering in the iOS world. Keep making videos and congrats!
@Akshatgiri29 күн бұрын
This is awesome. A question - would it not be easier to change the origin url in the app to your own and write a simple backend that returns custom data where you want it and acts as a proxy to the real api for the rest of the requests?
@majesticdragonfly2 ай бұрын
Congrats!!
@BlueFalconHD2 ай бұрын
Congrats!
@bscheirman2 ай бұрын
hahaha that intro was 👌 congrats!
@menvaetwoАй бұрын
Congratulations
@zribedevАй бұрын
congrats legend
@RemcoPeggemanАй бұрын
This is amazing! Do you know of any ways to do this (injecting Frameworks into an app) for MacOS apps?
@brycedotcoАй бұрын
Check out DYLD_INSERT_LIBRARIES (you may need SIP off for this) as a temporary option, or optool as a way to modify a binary as a longer term option!
@KyleeYay2 ай бұрын
you're so fucking smart wtfffff, congratsss!!
@stephen98492 ай бұрын
Congratulations! What resource would you recommend for learning this kind of low level objc/swift?
@GRAnimated2 ай бұрын
You're awesome!
@MasonSchmidgallАй бұрын
Super cool. How'd you deploy it though?
@AumKalyanpurАй бұрын
Would it not be easier to setup a network spoofer on a wifi hotspot, and then have the spoofer redirect the times json link to a json you host on your website? I think you could easily do it with bettercap and then just print out the network connect qr code and have the people connect to the network
@peatralАй бұрын
Yeah, that's what I thought too. Instead of having everyone install something on their phones, just being connected to the right wifi would have been even more magical. Then it can even be a surprise. Imagine not knowing about it and when you start doing the games you realize they are about the wedding.
@eduardog3000Ай бұрын
He’d have to install a self signed https certificate on their phones. Even then if the app uses certificate pinning it still wouldn’t work.
@bryceblazegamingyt9741Ай бұрын
@@eduardog3000 You can get a regular signed certificate on a private network, it takes some trickery but Ive done it for my self hosting with a reverse proxy.
@almognaАй бұрын
really really coollll why didn't you reruted the ny puzzel server to yours on the local router level with a relatively simple api ?
@bardo00792 ай бұрын
congrats
@spreen_coАй бұрын
how did you manage to get this app onto all the attendees' phones?
@trudyandgeorgeАй бұрын
I was wondering the same thing. Perhaps he organised a casting / projection of a phone's screen that had the injected app side-loaded, setup in a games corner or something, then guests could roam around with a beer and check it out and be sufficiently surprised and impressed.
@haakonnessАй бұрын
I guess everyone who wanted to play just had to plug into his mac to make their device a test device for his developer account, and deploy as a test-app
@spreen_coАй бұрын
@@haakonness I think adding that many devices to your developer account will be a problem
@pythonop73032 ай бұрын
This channel is gold. Anyone knows similar channel for android?
@bscheirman2 ай бұрын
os_log is indeed separately annoying
@Amrhossam96Ай бұрын
Just Wow.
@sargundhillon2808Ай бұрын
Sous vide creme brulee? (Guessing based on mason jar)
@devini15ytАй бұрын
Just watched the whole video to figure out how he did the deployments and he never got around to it.
@igorordecha27 күн бұрын
macOS users trying to maximize an app so they don't have to scroll horizontally all the time challenge (IMPOSSIBLE)
@arjix87382 ай бұрын
why attack android in the connections minigame? 😔
@ProSureString2 ай бұрын
🎉
@victorriurean2 ай бұрын
🎉💒
@DemsWАй бұрын
What would be hard about intercepting those message on the network with a proxy and returning whatever you want ? Seems like it would be the most basic and seamless, though you would need to ask the particular venue you are reserving.
@GranPCАй бұрын
HTTPS
@AntonioNoackАй бұрын
The modern web (since 10+ years ago) runs on HTTPS. You cannot simply claim to be NYTimes with a proxy, and if you were to claim the DNS server, address lookup is cached, so you'd have to clear the DNS caches somehow.
@DemsWАй бұрын
@@AntonioNoack I see, thanks
@ashadsaeed25142 ай бұрын
first
@ahmetsametsatr6370Ай бұрын
I was really interesested to listen before i heard IOS rich mf. :) :)
@DavidMulderOneАй бұрын
At 6:29 : Why not just basically find and replace the domain name to your own domain name? Setting up a proxy service at that point would be comparatively easy.
@mynameisDuck20 күн бұрын
Great video (despite the Android bashing :( ) I think I solved the Mini, is it (spoilers): B E A N S R E G A L A R O M A W I R E S L E A S H