So today I was looking for evidences about the kind of logging events that instagram implements on their website and while dwelving deeper into their code I was very surprised to find this very explicitily declared in one of their javascript files
I find this a very valuable and useful piece of information and it provides a great insight on the kind of fingerprints Instagram looks for on every client .
So without further due, here is the piece of code that gives us pretty much every possible fingerprint that you will need to avoid if you want to stay 100% off the radar
It’s way more information than I could have ever imagined , some of these I was already aware of and you can find such evidence by checking the invisible app permissions of android app for example .
But that’s really just a small part of everything they are logging … it’s pretty scary to be honest !
Here’s some of the most relevant logging events that you can check on this code :
CLOUD_HOSTING_SCORE
DEVICE_MAC_ADDRESSES
APP_CERTIFICATES_HASHES
BATTERY_STATUS (They have battery to all your battery stats, temperature, etc)
DISPLAY_REAL_SIZE
APP_INSTALLER_PACKAGE_NAME
ALL_INSTALLED_PACKAGES
SYSTEM_INSTALLED_PACKAGES
BUILD_FINGERPRINT
PROXIMITY_SENSOR (And every other kind of sensor in your phone)
IS_USER_A_MONKEY
BLUETOOTH_ADAPTER_ADDRESS
BLUETOOTH_PAIRED_DEVICES
TELEPHONY_SIM_OPERATOR
IS_MOBILE_DATA_ENABLED
WIFI_SSID
IS_IGNORING_INTERACTION_EVENTS
IOS_LOCALE_COUNTRY_CODE
IOS_PROXY_SETTINGS
IS_JAILBROKEN
WINDOW_OUTER_DIMENSION
MOUSE_POSITION
SCROLL_POSITION
MOUSE_CLICK
ADVERTISING_ID
Check the file with the full fingerprint tracking list and you will understand that theorethically they can fingerprint any device uniquely in a very easy way .
And here are all the hidden permissions for the Android App as well :
I believe that even though all these parameters are logged not all are being actively used by their algorithm for bot detection etc , but I think it shows us that even if you are changing your advertising ids, factory resetting or whatever you may think of, at the end of the day they could still identify you by many other fingerprints such as your battery level, sim operator or whatever . .
I hope this will be useful in giving everyone a better understanding of the kind of activity logging Instagram does these days, and also in achieving a better trust score with our automations
Already issues with these - without requesting the permission for Phone/Network/Bluetooth you can’t collect any of these.
For Android, IG would need the android.permission.BLUETOOTH permission - which they don’t have and don’t request
To get the network state, android.permission.ACCESS_NETWORK_STATE
Talking seriously , monkey detection is just a test to see if the client is a test user generating random events such as mouse clicks, touches or gestures . It helps with bot detection
Very true The possibilities are endless once they have access to all that info, I’m surprised they’ve made it so easy to game their bot detection algorithm tbh .
Seems like they are focusing more on the amount of actions than actually implementing proper detection rules, which seems to be resulting in a lot of false flags for regular users .
Since faking the client log events is so easy and they aren’t using most of these fingerprints for bot detection purposes I think we can say that their so hyped bot detection algorithm is failing big time and can be bypassed quite easily .
Information we obtain from these devices includes:
Device attributes: information such as the operating system, hardware and software versions, battery level, signal strength, available storage space, browser type, app and file names and types, and plugins.
Device operations: information about operations and behaviors performed on the device, such as whether a window is foregrounded or backgrounded, or mouse movements (which can help distinguish humans from bots).
Identifiers: unique identifiers, device IDs, and other identifiers, such as from games, apps or accounts you use, and Family Device IDs (or other identifiers unique to Facebook Company Products associated with the same device or account).
Device signals: Bluetooth signals, and information about nearby Wi-Fi access points, beacons, and cell towers.
Data from device settings: information you allow us to receive through device settings you turn on, such as access to your GPS location, camera or photos.
Network and connections: information such as the name of your mobile operator or ISP, language, time zone, mobile phone number, IP address, connection speed and, in some cases, information about other devices that are nearby or on your network, so we can do things like help you stream a video from your phone to your TV.
Hey! Just a quick question does it really needs to instagram.com only or any other.
What is the real package name of original instagram application?
And what do u people think how long app cloner can cope up with instagram as I have seen from years it is doing a great job. Months years weeks?
I saw some viral videos tough with monkeys using phones
game will never be over!
