Authentication & bereal-signature header

[Smart123s]

Every request sent to https://auth.bereal.team/ on 1.13.1 (and older?) now has a "bereal-signature" header.
For now, the only requests that were blocked without it are auth related (return HTTP 400 without error codes). Firebase login has started requiring play integrity check, so that's out of scope.
Does anyone have a working login implementation?

[MrAn0nym]

At least on android bereal started using pairip make our lives as hard as they possibly can. Did you use an iOS device to check this behavior? From my testing simply injecting into the apk is not really viable, let alone making successful API requests afterwards.

[MrAn0nym]

Could be wrong about it but I believe that the endpoints should still be available without signatures when providing older app versions in the headers

[Smart123s]

The version doesn't seem to matter. Vonage requests require the signature, and firebase requires play attestation. Older versions can log in through firebase only. Non authentication related methods work without the signature header. Yes, I've used Android to test it, as described here: https://fowled.gitbook.io/bereal/articles/hacking-bereal

[NeedNot]

what does this mean for us? Can't login? Will we be completely unable to do anything in the future?

[NeedNot]

so the bereal-signature is done within the app offline? couldn't you see how the app is doing it. As for the google play is that like a token, but how is it possible for google to ever know if it's a real device or not.

assuming those can never be bypassed could you intercept from an android device? It would suck that you would need an android device or emulator running but still not impossible.

[NeedNot]

also how do you guys ever get http toolkit to work on android emulator, I follow the tutorial but magisk is not behaving the same

[Smart123s]

I had to use this script to get Magisk working on AVD: https://gitlab.com/newbit/rootAVD.

Google has a pretty complex software, called Play Attestation (formerly SafetyNet), that can check, if your device is genuine, and hasn't been tampared with. You can Google it if you are interested in how it works.

The Bereal-Signature is calculated client side. Whilst I haven't tried decompiling the app, Snapchat also has this kind of signature, and the only reason it exists is to ensure that the requests are made from the real app. So probably the signature generator algorithm is encrypted.

Currently, we are only able to MITM BeReal on Android x64, and not on arm. It's possible that pairip (or whatever it's called) doesn't work properly on x64. On my arm phone, the app crashes if Xposed is hooked or frida is running. On my PC emulator, it doesn't have any problem with XPosed. I wouldn't be surprised if this would get fixed really soon. If it does get patched, then we won't be able to intercept traffic from Android devices. I have no clue about iOS.

If you have a rooted phone, you can access every photo the app downloads in the cached folder of the app. They are all unblurred, even if you haven't posted yet. But that's pretty much what you can do. And since the app can show posts it has already loaded without internet, probably the metadata is also cached somewhere. Maybe one of the databases?

[NeedNot]

Thank you it worked this time, I don't know much about cryptography and security but how would it possible for the apk to be able to generate the signature but not be possible to copy the algorithm? I know decompiled apk is just going to be an obfuscated mess but surely nothing is impossible?

[Smart123s]

It's not impossible to replicate anything that's done client side. It's just so hard that it's near impossible. Just take a look at how Denuvo DRM works in games. It sometimes takes scene groups months to crack a game. And in case of BeReal, if the algorithm gets cracked, there's nothing stopping them from replacing it with a new one.

Although please note that I still haven't decompiled the APK, and it's possible, that the algorithm can be easily broken, but then there would be no reason for the signature to exist.

[bengram]

the iOS login method is still working. But more and more api endpoints are being secured with the signature. it's only a matter of time before nothing works anymore.

[U14-dev]

So they have no signature on iOS? Or only none at login? I only looked at the android app tbh i have no clue about ios :D