🥷 Hacking BeReal

Some time ago, the BeReal team implemented a technique called certificate pinning into their app to prevent bad actors from performing man-in-the-middle attacks on other people.

But we are good actors, simply trying to investigate what’s going on behind the scenes.

I have tried several methods to accomplish this goal:

  • An Android emulator that runs on a Google API image that can be rooted, but BeReal won’t install because Google Play services are missing;
  • An Android emulator that runs on a Google Play image on which the BeReal app can be installed, but can’t be rooted by default, resulting in certificate pinning bypass tools not working…

Luckily for you, I found the perfect way to completely disable certificate pinning on the entire device, without needing to use something like Frida that targets a specific app; here again, the BeReal team went ahead and added layers of protection that pretty much make the app crash on launch when it detects such tool is being executed.

Android Studio

  • Start by downloading Android Studio.
  • Create an empty project, and click on Tools > Device Manager.
  • Click on Create device, pick the Pixel 7 Pro (or any phone that has the Google Play Store icon next to its name).
  • For the system image, you can choose any of them that has “Google Play” mentioned in its target. This tutorial uses Android 13.0.
  • Finally, name the AVD and click on Finish.

Tools > Device Manager menu

How it should look like at the end

Magisk

Magisk is a suite of open source software for customizing Android, supporting devices higher than Android 6.0.

  • Download the latest Magisk release.
  • Boot up the Android emulator.
  • Drag and drop the .apk file you downloaded into the emulator. It will automatically install Magisk.
  • Launch the Magisk app, and reboot the emulator.
  • Launch Magisk again, and click on the Modules tab on the bottom bar.
  • Click on Install from storage.
  • Drag and drop this module into the emulator, refresh the file explorer if needed, and select the .zip file.
  • Reboot.

When opening the Magisk app, you will probably be greeted with the following message:

Requires additional setup - your device needs reflash Magisk to work properly.

Just click on “cancel” - it doesn’t have any impact on the process.

Magisk's interface

LSPosed module enabled

LSPosed & certificate pinner

  • Drag and drop this .apk file into your emulator, then install it.
  • Go to the notification center.
  • Click on the Android System - LSPosed loaded notification.
  • Go to the modules tab.
  • Click on SSLUnpinning.
  • Toggle the BeReal app inside the module settings.

LSPosed - main menu

Module settings

HTTP Toolkit

HTTP Toolkit is a beautiful & open-source tool for debugging, testing and building with HTTP(S) on Windows, Linux & Mac.

  • Download HTTP Toolkit from the website.
  • Launch the app, and click on Android Device via ADB.
  • Start intercepting requests.

Android app

PC interface

Welcome!About authentication