NSURLProtocol: How I Stole an App For My Wedding

  Рет қаралды 53,805

Bryce Bostwick

Bryce Bostwick

Күн бұрын

Пікірлер: 118
@brycedotco
@brycedotco Ай бұрын
Thank you all for the congrats, they mean a ton and my wife and I are loving reading them! ❤ Answering two common questions here: 1) Deployment: I just used Sideloadly for other people too. This was for < 10 phones - again, very small wedding! I was beating myself up during the edit when realizing I didn't talk about this at all. With more heads up, I would've tried to collect UDIDs from people so that I could adhoc-sign a build, and then host it somewhere with a QR code. I'm also curious if adding folks as internal TestFlight testers would have been a viable strategy, though getting through the initial Apple review would have been... tricky, maybe. I'm really curious if other people have ideas that would work on a larger scale here, please let me know. 2) Why not proxy requests at the network level: I think this is a totally viable strategy. As a couple people pointed out throughout the comments, you'd still need to trust a root certificate on each phone since these are HTTPS requests, but that's not much harder than installing a custom app. I went the custom app route for a couple reasons (didn't want to deal with network stuff on the day of the wedding, didn't want to interfere with people's _actual_ NYT apps, wanted to customize the UI anyways, and this sort of modification is just more fun for me), but I think this is totally viable.
@bscheirman
@bscheirman 2 ай бұрын
so you left out the actual hard part -- how did you convince all your future in-laws to trust you with their phone for even 30 seconds ?!
@valentinthevoz7776
@valentinthevoz7776 2 ай бұрын
@@howiieb Wait, really? Then why does he need to compile the framework and rebuild the app on the phone using sideloadly?
@howiieb
@howiieb 2 ай бұрын
@@valentinthevoz7776 I think I missed something badly there.
@samcates435
@samcates435 2 ай бұрын
The whole time, I was just waiting to find out how he got the modified version onto all their phones but he never said.
@brycedotco
@brycedotco Ай бұрын
Convincing the in-laws is easy - convincing my own family members (who grew up with my iPhone antics) is harder! 😛
@beetaylor717
@beetaylor717 2 ай бұрын
Some techies at NYT saw some very strange Sentry errors on the day you filmed this
@zoellazayce6796
@zoellazayce6796 Ай бұрын
is it possible to block people from doing this?
@JayLooney
@JayLooney Ай бұрын
@@zoellazayce6796 It's possible to attempt blocking people from doing a lot of things, but if you're a motivated engineer with physical access to a device, it's pretty much not possible to stop you from doing whatever you want.
@LukeIsASmurf
@LukeIsASmurf Ай бұрын
@@zoellazayce6796I guess obfuscation? It'd be incredibly hard and not worthwhile. Of course, obfuscation is still not perfect, but it's the best you'll get.Plus, you're hopefully a good person and wouldn't do such a thing.
@OrangeYTT
@OrangeYTT Ай бұрын
​@@zoellazayce6796API obfuscation and encrypted response are a start, but it can only really be mitigated.
@kibbewater
@kibbewater 2 ай бұрын
Congratulations on getting married! I absolutely love your content, there aren't many people who go this in-depth into iOS workings and how to modify it. There are no other creators who provide such an easy format to follow with and with this level of quality. Keep up the amazing work!
@tiojoe_
@tiojoe_ 2 ай бұрын
Congratulations! Every time I watch, it's like a refreshing breath of fresh air. Your content is absolutely mesmerizing, consistently delivering creativity and inspiration. Keep up the outstanding work - it's a joy to follow along!
@downthecrop
@downthecrop 2 ай бұрын
Congratulations homie
@JollyRomping
@JollyRomping 2 ай бұрын
Wait- tell me about the crème brûlée
@iamDani3l
@iamDani3l 2 ай бұрын
congratulations man! :) I also remember when you posted a pic of your wordle clone (back before they were acquired by NYT) that changed the color of iOS’s native keyboard keys as you played (I still want it 😂)
@brycedotco
@brycedotco Ай бұрын
I can't believe you remember that! That was a fun one - I gotta check if I still have the code for that anywhere. IIRC it might have been from before keyboards were rendered in a separate process, so would be a lot harder now if so? But I wonder if I'm wrong & that is still viable!
@someonesalt5084
@someonesalt5084 2 ай бұрын
Absolutely love your content, congrats on your wedding! Love the technical knowledge in ur vids and how you explain it so clearly
@cooldude3010
@cooldude3010 2 ай бұрын
A good husband and an even better iOS developer. Congrats mate.
@SrKinko
@SrKinko 2 ай бұрын
Very cool! How did you manage deploying your changes to your family members' devices?
@SrKinko
@SrKinko 2 ай бұрын
@@lightningdev1 Yeah I'm not sure, that's why I was asking.
@matsuu1155
@matsuu1155 2 ай бұрын
Also wondering this
@Surasia
@Surasia 2 ай бұрын
I assume they simply used sideloadly on all devices, it's definitely possible in a short time with just family members.
@nohs8776
@nohs8776 2 ай бұрын
since hes a ios dev im guessing that he pays the $100 for the development program so he probably just used testflight for the least friction
@tdrg_
@tdrg_ 2 ай бұрын
@@nohs8776TestFlight also goes through App Review. It was likely ad-hoc distribution (the itms-services thing)
@ThrowawayAccountToComment
@ThrowawayAccountToComment 2 ай бұрын
Congrats, this was really interesting, even as an android dev !
@SonyTheakanath
@SonyTheakanath 2 ай бұрын
Bryce it's heartwarming to see your content. Hope you're doing well.
@ryanmoore7214
@ryanmoore7214 2 ай бұрын
Echoing your sentiment Sony! Hope you’re both doing well.
@brycedotco
@brycedotco Ай бұрын
Sony!! My original iOS partner in crime - hope you're doing great man ❤ And Ryan, same goes to you! We all gotta catch up next time we're in the same area!
@MrRonanX
@MrRonanX 2 ай бұрын
Wow! It's super interesting! How did you install this modified version of the app on your family's devices?
@stinkytoby
@stinkytoby 2 ай бұрын
@@howiieb That's called a man in the middle attack and HTTPS protects against that, unless you set up a Proxy on each of the phones, or add your own certificate to the phones otherwise (Also from other comments, apparently the NYTimes app uses certificate pinning (i.e. checking against a hard-coded certificate, I think) which means even that wouldn't work) Also if it was done by intercepting the network requests at the non-client side, the entire rest of the video would be pointless :p
@royal-blackcat
@royal-blackcat 2 ай бұрын
I'm don't do much of iOS development but maybe he could be using TestFlight?
@Seedx
@Seedx 2 ай бұрын
Sorry if I missed the reasoning, but why not just bring a router and have a custom DNS server that maps that API FQDN to your own server which sends out the modified json? That way all everyone has to do is connect to your router
@gabealbert493
@gabealbert493 2 ай бұрын
It wouldn't work because the URLs are using SSL. If you self-signed a certificate for NYTimes, no device would accept it unless you added it. Then again, I have no idea how he got this modified app on everyone's device either.
@Max_G4
@Max_G4 2 ай бұрын
@@gabealbert493 That at least wouldn't require this to do double the work with making an Android patch too. Or just locking those that don't have iPhones out
@justonefra
@justonefra 2 ай бұрын
I'm kind of confused why, if you just had to load one version of the puzzle with this setup, it wouldn't have been viable to just set all ids as a future still unused value (e.g. 99999) so you wouldn't have to risk the random generator returning a previously loaded id (because the initial range you set it to generate was including the actual puzzle range) and you wouldn't have had to process the partial path redirecting all the puzzle results (it would've also been nice to check in the active.json proxy if the requested date was the wedding date or a date previous to that to avoid issues if a guest forgot to restore the regular version of the app). Maybe I'm just missing some context or it was an intentional choice. Loved the video tho
@brycedotco
@brycedotco Ай бұрын
Great question / callout here - the reason for the randomness each time was so that the puzzles wouldn't be cached during development while I was iterating on them. But I think you're right that that opens up some risk of it actually overlapping with a real puzzle that had already been pulled down and cached. Using a range that didn't overlap with real puzzle ids would have been smarter here (or at least, trying that first!) For the last point here - I didn't go into this much during the video (totally should have), but this app used a different bundle ID than the real NYT Games app, so was installed side-by-side with the original - so either way this would only cause issues during development, the actual version would work fine even if a real puzzle id was picked, since there would be no cached puzzles already. But still a great callout since this would've caused a lot of confusion for me in development if a bad ID was picked!
@mantasdydx
@mantasdydx Ай бұрын
Just wanna say that I am a junior dev who Is still learning a lot but this video was both fun to watch and easy to understand! Congrats on the wedding and good stuff man
@JPKloess
@JPKloess Ай бұрын
It's nice to know someone besides me still has an active wordle group.
@yuanhuang6821
@yuanhuang6821 2 ай бұрын
Congratulations man, another wonderful journey begins!
@Skle
@Skle 2 ай бұрын
Congratulations on the wedding Bryce!
@cmatrix6720
@cmatrix6720 2 ай бұрын
Congratulations for the wedding!!!🥳I love your content. Please keep doing everyday reverse-engineering stuff 🙏 I learn a lot
@meco
@meco 2 ай бұрын
This deserves 100x more views. Congratulations on getting married!
@p8tgames
@p8tgames 2 ай бұрын
the joke at the start deserves gold
@Litleevy
@Litleevy 2 ай бұрын
Congrats bro!! Ive been waiting for a new video! Keep posting
@gabrielespilotricavaiola9324
@gabrielespilotricavaiola9324 2 ай бұрын
Congratulations, man! This video is mind-blowing. Can’t wait to learn more from you!
@mathesonstep
@mathesonstep 2 ай бұрын
How did you get everyone to sideload the app?
@JanR1995
@JanR1995 Ай бұрын
Interesting Interesting 1:22 "iOS things" Okay, I'm gone.
@spreen_co
@spreen_co 2 ай бұрын
seeing the title i didn’t expect to learn anything from this, but I did! seven years of ios development and I had no idea these apis existed 😄
@noahjoyner8232
@noahjoyner8232 2 ай бұрын
congrats on the wedding!! also your videos are awesome, ive tried to recreate some of this via android debugger, so thanks!
@oskarristolang
@oskarristolang 2 ай бұрын
this is some of the s-tier content on this platform
@MattGrayYES
@MattGrayYES Ай бұрын
That was really interesting, and well explained: I could understand what was going on even though I’ve barely done any Mac/iOS programming. I will however add myself to the list of people asking how you managed to deploy the app without rousing suspicion.
@unblockabl
@unblockabl Ай бұрын
I love this channel! And congrats!
@royal-blackcat
@royal-blackcat 2 ай бұрын
Very cool! I'm tempted to do something similar for my future wedding lol
@davidrichey2034
@davidrichey2034 Ай бұрын
Awesome! I learned a ton, thanks for sharing!
@quadrupledamage
@quadrupledamage Ай бұрын
14:41 "Division would trip it up" LMAO
@trainboy2019
@trainboy2019 2 ай бұрын
Congratulations!🎉
@Crates-Media
@Crates-Media 2 ай бұрын
Dude, you are a total boss. I'm inspired, especially with my own wedding coming up. Brilliant idea. Of course, when I do it, I'll be using a MITM attack and poisoning everyone's DNS so it's a surprise.
@Crates-Media
@Crates-Media 2 ай бұрын
Very smooth, debonair vibes you're giving off, Mr. Handsome Guy who's deliberately showing off his hacking skills skills in a Tuxedo. ;-) Rockin' like a "James Bond, if he lived long enough for his juevos to be preserved in carbonite and deposited in Ms. Bond's purse" thing.
@odebek
@odebek 2 ай бұрын
Congrats, this was super cool to follow along.
@Akshatgiri
@Akshatgiri Ай бұрын
This is awesome. A question - would it not be easier to change the origin url in the app to your own and write a simple backend that returns custom data where you want it and acts as a proxy to the real api for the rest of the requests?
@fgary
@fgary Ай бұрын
dude this was sick! great video
@lampree
@lampree 2 ай бұрын
I love learning reverse engineering in the iOS world. Keep making videos and congrats!
@RemcoPeggeman
@RemcoPeggeman 2 ай бұрын
This is amazing! Do you know of any ways to do this (injecting Frameworks into an app) for MacOS apps?
@brycedotco
@brycedotco Ай бұрын
Check out DYLD_INSERT_LIBRARIES (you may need SIP off for this) as a temporary option, or optool as a way to modify a binary as a longer term option!
@pedrohkpiano
@pedrohkpiano 2 ай бұрын
Congratulations man, enjoy!
@phila9966
@phila9966 2 ай бұрын
Congratulations Bryce! Love your content. Just a small correction: iOS < android everytime (ask the Mrs 😜). Let the engagement in the replies feed the YT algorithm
@stephen9849
@stephen9849 2 ай бұрын
Congratulations! What resource would you recommend for learning this kind of low level objc/swift?
@AumKalyanpur
@AumKalyanpur 2 ай бұрын
Would it not be easier to setup a network spoofer on a wifi hotspot, and then have the spoofer redirect the times json link to a json you host on your website? I think you could easily do it with bettercap and then just print out the network connect qr code and have the people connect to the network
@peatral
@peatral 2 ай бұрын
Yeah, that's what I thought too. Instead of having everyone install something on their phones, just being connected to the right wifi would have been even more magical. Then it can even be a surprise. Imagine not knowing about it and when you start doing the games you realize they are about the wedding.
@eduardog3000
@eduardog3000 2 ай бұрын
He’d have to install a self signed https certificate on their phones. Even then if the app uses certificate pinning it still wouldn’t work.
@bryceblazegamingyt9741
@bryceblazegamingyt9741 Ай бұрын
@@eduardog3000 You can get a regular signed certificate on a private network, it takes some trickery but Ive done it for my self hosting with a reverse proxy.
@menvaetwo
@menvaetwo 2 ай бұрын
Congratulations
@bscheirman
@bscheirman 2 ай бұрын
hahaha that intro was 👌 congrats!
@almogna
@almogna 2 ай бұрын
really really coollll why didn't you reruted the ny puzzel server to yours on the local router level with a relatively simple api ?
@majesticdragonfly
@majesticdragonfly 2 ай бұрын
Congrats!!
@MasonSchmidgall
@MasonSchmidgall 2 ай бұрын
Super cool. How'd you deploy it though?
@BlueFalconHD
@BlueFalconHD 2 ай бұрын
Congrats!
@KyleeYay
@KyleeYay 2 ай бұрын
you're so fucking smart wtfffff, congratsss!!
@zribedev
@zribedev 2 ай бұрын
congrats legend
@pythonop7303
@pythonop7303 2 ай бұрын
This channel is gold. Anyone knows similar channel for android?
@spreen_co
@spreen_co 2 ай бұрын
how did you manage to get this app onto all the attendees' phones?
@trudyandgeorge
@trudyandgeorge 2 ай бұрын
I was wondering the same thing. Perhaps he organised a casting / projection of a phone's screen that had the injected app side-loaded, setup in a games corner or something, then guests could roam around with a beer and check it out and be sufficiently surprised and impressed.
@haakonness
@haakonness 2 ай бұрын
I guess everyone who wanted to play just had to plug into his mac to make their device a test device for his developer account, and deploy as a test-app
@spreen_co
@spreen_co 2 ай бұрын
@@haakonness I think adding that many devices to your developer account will be a problem
@GRAnimated
@GRAnimated 2 ай бұрын
You're awesome!
@devini15yt
@devini15yt 2 ай бұрын
Just watched the whole video to figure out how he did the deployments and he never got around to it.
@sargundhillon2808
@sargundhillon2808 Ай бұрын
Sous vide creme brulee? (Guessing based on mason jar)
@bardo0079
@bardo0079 2 ай бұрын
congrats
@bscheirman
@bscheirman 2 ай бұрын
os_log is indeed separately annoying
@arjix8738
@arjix8738 2 ай бұрын
why attack android in the connections minigame? 😔
@Amrhossam96
@Amrhossam96 2 ай бұрын
Just Wow.
@igorordecha
@igorordecha Ай бұрын
macOS users trying to maximize an app so they don't have to scroll horizontally all the time challenge (IMPOSSIBLE)
@DavidMulderOne
@DavidMulderOne 2 ай бұрын
At 6:29 : Why not just basically find and replace the domain name to your own domain name? Setting up a proxy service at that point would be comparatively easy.
@ProSureString
@ProSureString 2 ай бұрын
🎉
@victorriurean
@victorriurean 2 ай бұрын
🎉💒
@DemsW
@DemsW 2 ай бұрын
What would be hard about intercepting those message on the network with a proxy and returning whatever you want ? Seems like it would be the most basic and seamless, though you would need to ask the particular venue you are reserving.
@GranPC
@GranPC 2 ай бұрын
HTTPS
@AntonioNoack
@AntonioNoack 2 ай бұрын
The modern web (since 10+ years ago) runs on HTTPS. You cannot simply claim to be NYTimes with a proxy, and if you were to claim the DNS server, address lookup is cached, so you'd have to clear the DNS caches somehow.
@DemsW
@DemsW 2 ай бұрын
@@AntonioNoack I see, thanks
@ashadsaeed2514
@ashadsaeed2514 2 ай бұрын
first
@ahmetsametsatr6370
@ahmetsametsatr6370 2 ай бұрын
I was really interesested to listen before i heard IOS rich mf. :) :)
@mynameisDuck
@mynameisDuck Ай бұрын
Great video (despite the Android bashing :( ) I think I solved the Mini, is it (spoilers): B E A N S R E G A L A R O M A W I R E S L E A S H
Microservices are Technical Debt
31:59
NeetCodeIO
Рет қаралды 644 М.
This is How I Scrape 99% of Sites
18:27
John Watson Rooney
Рет қаралды 183 М.
When Cucumbers Meet PVC Pipe The Results Are Wild! 🤭
00:44
Crafty Buddy
Рет қаралды 57 МЛН
World’s strongest WOMAN vs regular GIRLS
00:56
A4
Рет қаралды 52 МЛН
Spotify Bricked The Car Thing, So I Hacked Mine
21:20
Dammit Jeff
Рет қаралды 2,1 МЛН
How do QR codes work? (I built one myself to find out)
35:13
Veritasium
Рет қаралды 7 МЛН
I Made an iOS App in MINUTES with This AI Tool!
13:20
Creator Magic
Рет қаралды 250 М.
I Have 2 Weeks to File a Dispute for this Scam TV
25:35
Linus Tech Tips
Рет қаралды 3,4 МЛН
Hacking Disneyland's App to fix a Freeze
14:50
Bryce Bostwick
Рет қаралды 14 М.
The secrets of Inflight Entertainment you never asked about...
15:24
Simply Aviation
Рет қаралды 170 М.
WHY did this C++ code FAIL?
38:10
The Cherno
Рет қаралды 293 М.
Thermoelectric cooling: it's not great.
32:51
Technology Connections
Рет қаралды 3,3 МЛН
Why Didn't He Get the Job? Let's Find Out! // Code Review
27:25
The Cherno
Рет қаралды 148 М.