Also Twitter had changed their policy regarding API keys. You no longer just ”get” them. You need to apply. I was rejected for getting key to export my own tweets.

Of course, this means everyone is using web scrapers for what was used API keys before, because of you can use public internal API.

I prefer to just steal keys by reverse engineering mobile apps. So easy to get keys for just about anything and charge someone else for it that way.

Excellent replies to everyone in this thread. You're spot on.

Just out of curiosity, is there a marketplace for private APIs? I'd love if you could elaborate on the "charge someone else for it" part.

I know of RapidAPI by rakuten, it operates as an API marketplace like this

Interesting. As someone who hasn't done any mobile dev at all, is there a way to prevent something like this from happening? Can't you somehow encrypt such secrets in the app?

You can try, but you won't succeed against a dedicated reverse engineer, simply dropping a hook in on the API calls would be enough to grab the decrypted key in a case like that, if not simply statically reading the encryption keys and decrypting it. That's not to say it's useless - some reversers will simply move on to the next app when there's a list of dozens.

You can also send requests via your own server, which would allow you more control over the requests that get sent out to your 3rd party APIs and just restrict tokens as much as possible to the minimal set of features necessary for your application.

What about secure key import on Android? It's still not that widely available, but should be everywhere in a few years. The idea is:

-a keypair is generated in secure hardware

- you send the public key to a server which encrypts the secret key with it

- the server sends the encrypted key back

- then it goes inside the secure hardware where it gets decrypted

The decrypted secret key is never in the userspace.

Mobile developers can implement certificate pinning to prevent man in the middle snooping. Twitter's app does this.

That achieves nothing against someone who uses something like apktool/baksmali to do static RE, let alone inject something like Frida to perform dynamic RE. There are even Xposed modules designed to just bypass certificate pinning.

Certificate pinning is a good security measure, but not a counter-RE one.

Certificate pinning is neither a good security measure nor a good obfuscation one.

I hope you did not just assume that general purpose computing and device ownership can be subverted by mere certificate pinning.

If it's executing on my device, you can be sure I can poke it and see what it's doing.

Frontend is in the hand of enemy. There is no secret on the client side.

You could proxy requests over a server you control. This might just shift your problem, depending on the use case.

Rate-limiting works really well in most cases, though CGNATs makes that a horror nowadays too.

I believe solutions like SafetyNet on Android might help here. AFAIK no one has successfully reversed SafetyNet enough to spoof it.

Please don't legitimize SafetyNet. It is an existential threat to real ownership of your phone as any flavor of Android but that blessed by Google trips SafetyNet. It's the equivalent of barring people from running software on their laptop because they've installed a flavor of Windows that wasn't shipped from the factory. People everywhere have a right to do with their phone what they want to.

Unless an API you're looking at requires/supports attestation via SafetyNet or you're willing to proxy via your own server this is likely not an option.

Additionally, while it's true (to my knowledge) that re-implementing a full safteynet spoof is not currently publicly available, a combination of Frida and MagiskHide is able to bypass SafetyNet for dynamic RE purposes, just launch the app as normal with MagiskHide enabled then attach to it with Frida as root. If they enforce full hardware attestation this may change in the future, but right now we're good.

But as a developer, I won't put the API key in the client.

How will the client communicate with the API then?

And this is likely because there were a few years of "insert your own API key" third party clients after Twitter limited their max user count.

This from the site that used to indicate on every tweet the client used

Quora ended for me when spun/copy+pasted Google results started to replace answers. For example: I asked for the science behind the EPA's recommendations on UV exposure, and the answers were all word-for-word copies of the first result in Google, which had no detail on the science behind it. Just "avoid going out before x," "wear x SPF sunscreen," but nothing about the basis for the recommendations.

That was years ago. Recently, I went looking for how to un-retweet something from an account that has since blocked me, and every single answer on every instance of someone asking that on Quora is more or less a copy of Twitter's documentation for an ordinary un-retweet. Useless search result pollution.

Quora is such a shit show though - what happened there ?

Their algo will just continually blast email you every category you ever clicked on

No idea. I used it a while and enjoyed the content, then they changed something in the algorithm and I'd suddenly get basically the same content every single day, often >30% of the feed would be the exact same as the week before. They also removed the list of topics, so there was no obvious way to escape the near static feed.

Not sure what they wanted to achieve with that change, but I never visited the site again.

It's a real shame. I used to really enjoy my daily Quora digest email. One of the only automated emails I truly dug into and read in detail. Over time I read it less and less. Then switched it to be weekly, then turned it off. I miss the old Quora.

It's because they need to start collecting more first-party data from users who land on their site. This is a result of Apple (and others in the future) blocking third-party cookie tracking.

They are doing this SOLELY because of the need for audience creation, marketing attribution, and ad revenue.

Broadcast radio, television, and print newspapers still exist without these things.

They sure do; however, digital media and social in particular, absolutely rely on significant investment in their audiences, attribution, etc in order to drive more revenue and thus higher CPMs. More traditional media (such as OOH, Print, etc) all rely on very high-level metrics such as daily traffic volumes and lack of direct impact evidence in their attribution of value.

This is why Facebook is SO very against what Apple is doing with iOS14+, particularly with cross-device and cross-app tracking opt-in, because they know it will decimate their ability to do what they do today.

Bingo. They need this for user-level measurement and targeting. Wouldn't be surprised if this also supports part of their audience extension work with twitter audience platform as well.

With Quora you can just add ?share=1 at the end of the url and you can view the content without logging in.

I could imagine they're trying to prioritize things like user retention and ad revenue, both of which can be done better by tracking user behavior. Losing a percentage of their logged out user base could very well be worth it to them in order to increase what helps their business.

Quora's not a great resource anymore. It's just peoples' opinions boosted by an echo chamber.

This is probably the only good content that existed on there before it became a cesspool: http://qsf.cf.quoracdn.net/best_of_quora_2010-2012.pdf

Opening Quora links in a new private tab each time solves the issue for me. But agreed, it sucks.

This is not about measurement. This is about tracking people across third-party websites.

This is about growing users, they are stagnant now and had been for a while just like facebook.