Ludovic Frank - Freelance developer

Let's take a look at Instagram's APIs, one public and one private

ionicons-v5-k Ludovic Frank Oct 28, 2024
57 reads Level: Confirmed
View this blog post in French

Summary

Hi there, how are you? 😁.

Thanks for clicking on this article, I hope you like it even if the subject is quite specific 😛.

This week we're going to talk about APIs, developers use them every day in their work, bah yes, for example for online payments often we use Stripe's or PayPal's.

But we're going to go a little deeper, because there are two types of API: public and private.

Are you ready? Here we go 🙂.

Why this article?

When I'm not working on customer projects, well, I've got to keep busy... we're not going to look at stolen flies either, because well, it's not the fire.

Sometimes, for example, I dismantle my robot vacuum cleaner.

A disassembled Roborock s5 vacuum cleaner

(In fact, I dismantled it because it had broken down, either the motor had died or it was too dirty, so it had to be tested 😁)

And other times I have fun looking at how the apps people use every day work, I've already seen Uber Eats or even TikTok....

And then, last week, I thought I'd take a look at how Instagram works, because even though it's not really our cup of tea as far as technology people are concerned, I have to admit that the Meta group's social networks are widely used by the general public.

So here I am, poking around Instagram's APK to see what's going on, and then... while I'm at it, why not make an article of it? 😁.

Instagram's public API

If you're a developer, you'll be familiar with it, they call it Instagram's "graph" API and it's accessible at "graph.instagram.com".

There's just one condition: only professional accounts can use this API.

Introducing Instagram's public API

In other words, if you have a personal account, you won't be able to use it, you'll have to switch to a professional account, but the question is, if you switch to a pro account, what really changes for the account and its visibility?

We don't really know...

How do I use Instagram's public API?

We're not going to spend too much time on this: all you need to do is create an application in "Meta for developers", while the rest is covered in the Meta documentation.

What can you do with the public API?

The Public API is very much geared towards business and content publishing, so you can do the following, among other things:

  • Get basic account information: number of subscribers, number of publications, account name... etc.
  • Retrieve account posts: this is how you see people's Instagram posts in other applications, like Tinder, or websites, there are Wordpress plugins that allow you to display the latest Instagram posts on the site.
  • Recovering stories: stories are ephemeral publications that disappear after 24 hours, but thanks to the API, you can recover them and display them elsewhere.
  • Publish publications: You can also publish publications, but be careful, it's relatively simple: you call the API and give it the URL of the file you want to publish. Yes, it's interesting, because you don't upload the file directly, the API has to fetch it from a publicly accessible URL on the Internet.
  • Publish stories: it's the same as for publications, you can publish stories, but it's very limited, for example you can't add stickers (or maybe I didn't look hard enough).
  • View and moderate your comments and replies to comments: you can develop your own app that handles comments, for example, to moderate or reply to them.

As you'll have guessed, the public API does some pretty simple things, but it's ultra-useful for professionals who need to post frequently on Instagram, for example.

If you've been paying attention, you'll have noticed that you can only interact with the account that's connected to the API, so there's no possibility of viewing posts from other accounts, no possibility of commenting, and no possibility of following another account.

In my opinion, there are several reasons for this API:

  • Protection of user data: Yes, I know, it's Meta (Facebook), but they can't do absolutely anything either, so they need to protect users a little to avoid a bad image.
  • Fight against bots (and therefore spam): Telegram is a fairly visible example of this, the platform wants to be fairly open and lax on moderation, but the problem is that I personally often get completely off-topic or spam messages, and that, I'm not a fan of.
  • Protecting Meta's interests: Yes, Meta is a private company with commercial interests, and it doesn't suit them too well that anyone can do anything they want on the platform. Meta is simply protecting its commercial interests.

For a concrete example of how the public API can be used, take a look at Josselin's SAAS "Plus tard".

Illustration of how to use Instagram's public API

Using Instagram's public API is risk-free for your account, that's what it's there for.

Instagram's private API

First and foremost

Never use Instagram's private API in your applications.

As you'll see, it's a very bad idea to use this API in your applications, as it's not designed to be used by external developers.

If you use it, your account will eventually be banned from the platform, and I can't be held responsible, because I've warned you, you'll be banned.

Denial of access to Instagram's private API (illustration)

By the way, using this API is against Instagram's terms of use 🙂.

Now that you've been warned, let's get back to more interesting things, for the sake of "knowing", let's go titillate this API.

What is Instagram's private API?

Instagram's private API is the API with which the official Instagram applications communicate (iOS and Android, I'm not talking about the web, because on Instagram, the web is anecdotal).

Instagram homepage on iOS

When you launch the Instagram application on your smartphone, your device communicates with Instagram's private API.

What can you do with the private API?

Well, it's relatively simple: you can do everything you can do via the Instagram app.

But as I said above, apart from for fun and to test and understand, never use it in any other context, otherwise: goodbye Instagram account.

We'll go into a bit more technical detail here, but it's simpler than it sounds.

Illustration of a finger touching computer code

How do I see this API?

Ah, that's where the fun begins, because unlike the public API, the private API is not documented - well, if it has to be - but only accessible to Meta employees.

So, to do that, you'll have to do what we call a "Man in the Middle".

The "Man in the Middle" proxy

So, what is a Man in the Middle? Quite simply, it's the act of putting yourself between two devices - in this case, the client Android smartphone - and the Meta servers, so that you can see the data (HTTP requests) passing through.

So, if you're on a Mac like me, there's a great app that does this, and they support "SSL", more on that later.

The application in question is Poxyman, and I could have put it in my top Setapp applications.

illustration fictive de Proxyman, une interception type man in the mddle

Once you've installed and activated the application, you'll need to configure your Android to use the proxy provided by Poxyman.

Setting up a proxy on Android

You can either do this via the graphical interface, in your device's Wifi connections, but if you're interested in an article like this one, it's because you have a couple of technical notions.

It's possible to define a proxy on an Android device with "ADB" (that's the Android command line, for developers).

To do this, use the following command:

Finally, to remove the proxy, use the command :

The SSL problem

Ah yes, well, it's not that simple, because, globally on the Internet nowadays, all connections are made via HTTPS, not HTTP.

So you'll need to install Proxyman's SSL certificate on your Android device, so that your smartphone recognizes certificates signed by Proxyman as valid.

Proxyman SSL certificate installation window on Android

To do this, go to http://cert.proxyman.io/ on your smartphone, where you can install the certificate.

Be careful, it's HTTP and not HTTPS.

Once you've installed the certificate on your smartphone, you'll be able to see all requests decrypt and pass through Proxyman... well, not quite yet...

SSL Pinning

What's this thing again? 😁.

In fact, Meta (and all the others for that matter) aren't stupid. They know that you can install your own root certificate on your device, so in the application APK (Instagram in this case), they put a list of really authorized certificate signatures, so even if the certificate is accepted by the system, the application will refuse to use it.

For security, this is important, because we're just trying to see what's going on between the Instagram APK and the servers, now by getting in the middle like this, someone with malicious intent could alter the data to display other things, or upload something else... or even worse, steal the account.

And yes, not a bad idea ...

By the way, here's what an SSL Pinning configuration file looks like in an Android application:

SSL Pinning configuration file in an Android application

The blurred data at the top of the screenshot is the domains belonging to the owners of the Android app, below it are the public digital signatures of the authorized certificates.

So, as you can see, to get past this problem, you'll need to modify the application's APK, so that it starts accepting the certificate you've installed on your smartphone.

You can use APK Lab and Visual Studio code to "decompile" the APK and recompile it once it's been modified. It's a very interesting thing to do, and I'll leave you to find out.

Alternatively, you can check out this GitHub repository, which contains a script as well as already patched APKs

Now you can see all the requests passing through Proxyman, and so see how the application works

The private API in action

And now, in Proxyman, you can see all the traffic sent to Instagram's servers in clear text.

All you have to do is wander around, upload files, view stories, and you'll see what's going on... and from there you can create your own script that behaves like the APK, but you'll see once again, it's not that simple, the Meta engineers are good and they've made sure to freeze you if you do.

Instagram app traffic in Proxyman

For example, unlike the public API, on the private API, when you want to create a new publication, the server only accepts JPEGs. This is clever, because the compression is done on the user's device, which means lower costs for Meta.

In terms of economy of scale, we're not bad 😁.

A dangerous API

Now that you can see directly how the APK interacts with Instagram, you realize that a lot of data is sent to the servers.

For example, there's not just an authentication token, but also tokens linked to the device, a UUID... etc.

And the really interesting thing is, other people have already done the work before you, in fact...

A Typescript library for the private API

And yes, it's accessible directly on GitHub.

So, as you can see, this library is no longer maintained for free, now they're offering a subscription (you betcha... given the unbearable stuff to maintain).

Earlier, I told you that it's very dangerous to use, and you'll understand why.

Take a look at this constant file.

So first thing, it's based on version 222 of the Instagram APK, today we're at version 354, if you use the library as is... you'll light a red light at Meta, nobody's on version 222 anymore.

But also, look at the number of "keys" in the constants: there are lots of them, and they're different from one version of the APK to another, so if you make the slightest mistake, that your version of the APK declared to the private API isn't in line with the keys you've defined.

Paf, a red light at Meta.

Illustration of a red alert light

After that, you can have fun wandering through the source code, for each interaction with Instagram you see the "endpoint", and you can compare that with what you see in Proxyman.

Conclusion

The idea was to show you the difference between a public APU and a private API.

And above all, that private APIs are designed to prevent you from using them, but it's interesting to look at.

If you yourself ever have to work on an API that only your company is supposed to use, you can see how the biggest names in tech protect themselves.

And I've got to say, Instagram, they're doing it hard.

Have a great day and see you soon 🙂.

Back to the blog

Interested in the web?

Why is blockchain (Bitcoin) the revolution?
Why is blockchain (Bitcoin) the revolution?
What are unit and functional tests?
What are unit and functional tests?
Typesense, the replacement for ElasticSearch?
Typesense, the replacement for ElasticSearch?