Accessing The Android/IOS TikTok Calls #120
Comments
|
Issue Label Bot is not confident enough to auto-label this issue. See dashboard for more details. |
|
I’m pretty sure that is a mobile end point, so you would need to reverse engineer the calls and authentication to that. You can test it by opening tiktok on your phone, check your not logged in and click on someone’s “followers” and it returns the list |
|
I'll try to install Android emulator and look, but I'm not sure when I'll have the time. Maybe someone with higher reverse engineering skill is reading this issue? |
|
I have rebuilt mobile endpoints from old versions of the Android APK using Charles Proxy, it's mostly straightforward. The question is what version of the app introduced this feature and what signature encryption is used. I'll take a look later |
|
@dj2ball AFAIK signature encryption is handled just fine by existing TikTokApi code. What's straightforward for you means installation of unknown soft for me, I'm not a mobile developer. Thank you in advance for taking a look. |
|
I'm open to adding this feature if anyone is able to reverse engineer it. Hopefully they use the same signature generating methods, but I feel that's unlikely. |
|
I’ve had good success using Nox Android Emulator. Charles Proxy is paid but has a free trial and you can use it to intercept traffic from your mobile app as a man in the middle proxy - good example here:
https://deliveroo.engineering/2018/12/04/how-to-use-charles-proxy-to-rewrite-https-traffic-for-web-applications.html
If you are more comfortable with python mitm-proxy is I think the free package that does similar things.
You will want to use Android OS Version 7 or earlier in your emulator as after that version there are restrictions on installing 3rd party SSL certificates which you need to do to read HTTPS traffic from TikTok.
…
On Jun 6, 2020 at 2:43 pm, <tarkhil ***@***.***)> wrote:
@dj2ball (https://github.com/dj2ball) AFAIK signature encryption is handled just fine by existing TikTokApi code. What's straightforward for you means installation of unknown soft for me, I'm not a mobile developer. Thank you in advance for taking a look.
—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub (#120 (comment)), or unsubscribe (https://github.com/notifications/unsubscribe-auth/AHNHPE5AWTBKFCLB6RHAQHDRVJBXPANCNFSM4NU6NC7Q).
|
|
I'm pretty sure you would need different authentication. When I looked at this before, the current implementation of the web api uses verifyFp and _signature as authentication in its https request, the mobile app uses Khronos and X-Gorgon. I've done a bit of decompiling of the Java APKs and from what I can see, Khronos is essentially a Unix timestamp with query parameters passed to it but Gorgon is heavily encrypted. There is some info online about a few folks who have built generators for this (e.g. https://github.com/SebastienWae/tiktok-gorgon-bridge) although I've yet to get it working successfully (I can get it installed on android and communicate with it via cURL but currently the signatures aren't accepted. It's possible I need to try a different app version as it may get updated. |
|
@dj2ball Hey please let me know after you tried a diffrent app version if it worked or not thanks. |
|
I checked a couple of my older Android APKs and there is no follower endpoint without logging in. On the current iOS version the endpoint is there. We would need current signature generation for the Khronos and X-Gorgon headers to be able to access the endpoint, at a minimum. |
|
I just looked into generating those parameters and this repo seems promising. I can’t look into it too much right now but I’ll be able to look into it this weekend. Generating Parameters |
|
Sounds good, that repo does look promising - if you decompile the Android tiktok api the code for generating X-Gorgon and Khronos via Leviathan it looks pretty close to what is in that repo |
|
I believe Leviathan has to be called in the Java Native Environment (JNI) and is part of the libcms.so binary. The code posted by David seems to be a good approximation of the steps to generate the inputs for the leviathan call, what I'm wondering is then whether you need something like the repo below to hook leviathan in the JNI and generate the return? See below: Unfortunately Java is a little away from my wheelhouse so at this point I'm following logic and intuition rather than a solid understanding of Android development. This thread summarises some good discussion on it: https://github.com/szdc/tiktok-api/issues/120 including this summary: "For anyone struggling with generating XGorgon/XKhronos combination: XGorgon is generated by concatenating four strings:
Your string should now be 32 * 4 digits long. Set X-Khronos to the current time and pass this value + the string you just generated to the Leviathan encryption algorithm. This algorithm is extremely complex and can't be easily reverse-engineered. It has lots of security checks to see that your phone isn't rooted, using any emulator, using a proxy/vpn, etc... . It also makes a lot of syscalls which makes it hard to emulate. However, it is possible to reverse with enough determination (Took me around 2 weeks). The value that is returned by leviathan then just needs to be Hexed, and this is your X-Gorgon value." |
davidteather
changed the title
|
There’s a list of what seems to be most of the apk calls that the tiktok app calls on the website listed below. Just scroll to the tiktok research segment then there’s a pdf called apk_calls or something like that. |
davidteather
added
the
discussion
|
Hi, ### is it possible to save the .json file that is returned from this URL ? the problem is that it can be requested only once by the tiktok app, if you request it again , the returned .json file is empty here's a screenshot of the .json from fiddler
I'm interested in the following tab from .json file, as it has a list of 20 users |
|
Hi guys!. its possible get tiktok music endpoints? |
|
@alyfreym what type of music end points? |
I would like to receive music requests that are used in a mobile application. I know that all requests are encrypted x-gorgon, x-khronos. Do you have any information about these algorithms how to do it? |
|
@alyfreym kinda a late response, but this api already has some music endpoints. Still haven't figured out any algorithms to do this that are open source. If anyone has links to any comprehensible working projects that would be nice. |
|
Also might want to check out https://github.com/augustgl/tiktok_source |
|
https://www.youtube.com/watch?v=RxkLFAGetVQ I saw this video today, where he edits his tiktok profile with the videos current views and likes! |
|
@AdKT36 If you want to post stuff don't post sketchy site links |
|
This might be interesting seems to get mobile endpoint data you do need a device_iid and iid but for my internet I just typed in random stuff and it worked. Not sure if that would work at scale though. |
Why you not posted any result? |
|
Any chance to support the retrieving of the followers list @davidteather? From the website this information is now available! |
It’s only available while logged in which is not the focus of the package right now. I’ll look into implementing more user functions in the future when I have more time available |
|
Lol, Noobs |
|
Just set up a Fake AP and forward the traffic through a reverse proxy to your router. That's the only reliable way to intercept android application calls. |
|
I've done a bit of digging and found some repos that contain old musical.ly endpoints. https://github.com/tolgatasci/musically-tiktok-api-python/blob/master/api.py I've tried some of the endpoints. Some like "video metadata" and "comments" work fine with no headers and do contain a lot more fields than the web version, however more interesting ones like the following/followers lists or even the user's post list just seem to respond with empty I'm not sure where to go from here. Any ideas on finding the right headers/params? I feel x-gorgon and x-khronos would be important. This code claims to generate them, but is incomplete (https://github.com/bloodyev/x-gorgon-x-argus-x-ladon/blob/main/xgorgon_orig.py), what is |
hello, can you still sniff for ios tiktok? |
|
Done some research for tiktok on web for uploading. {"log_pb":{"impr_id":"20240107162533067FBF6BE998946340B6"},"status_code":4,"status_msg":"Server is currently unavailable. Please try again later."}I tried the upload process on web using Edge, the URL requires an msToken (I don't know how to generate it). I'm using your project as a local callable API for my Java program. Despite a few days of efforts, I can't get it to work on this part. |
|
someone has any updates on the followers list? |
and others
Sorry for reopening closed issue, but that API call does exists.
I've tested https://rapidapi.com/logicbuilder/api/tiktok and it returns list of followers (but not of following).
Unfortunately, their uniform and well-developed API has nothing in common with cryptic TikTok API, so I still cannot guess how to do it without 3rd party sites.
The text was updated successfully, but these errors were encountered: