Hacker News new | past | comments | ask | show | jobs | submit login

I feel like you could do this just watching network traffic, and judging by the fact that nobody's done it, I also feel like there's some mechanism preventing this that I'm not knowledgeable enough in the subject to be aware of.



You can't do this just watching network traffic because the apps use HTTPS + certificate pinning.

And you can do it if you want. I do it. I'm sure many more people do it.


Out of curiosity, what do you use the decompiled tokens/endpoints for?


The official twitter app is possibly using these premium endpoints, so it's token has access to those. If you "grab" that token(s) somehow, you can go ahead and use it in your app, I presume. I don't know how this will work when your app wants to connect to someone else's account, however.


You think all the russian bots are on the official API? Nope.


Nefarious purposes, mostly. I can crawl without rate limits (well, there are rate limits, but it's much harder to hit them), and I also can spam a lot without getting my account flagged (but it eventually gets flagged, of course).

By spamming I don't mean the usual "click on this link and I'll show you my tits" spam; if you create a useful bot that sends "expected" mentions (for example in response to mentions you receive, and not just spam) it will get banned in a matter of hours. With their "secret" tokens, it won't get banned.


A rooted device should suffice, but it is a painful procedure.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: