Comment on Photographer steps inside Vietnam’s shadowy ‘click farms’ | CNN
abhibeckert@lemmy.world 8 months agoAPI requests are usually encrypted with something along the lines of a JWT: jwt.io
If you don’t know the secret used to generate the HMAC signature (blue section of that website), then you can’t simulate the API request. And the secret is never transmitted.
LostXOR@fedia.io 8 months ago
I was thinking more of using a debugger to see the API calls the app is making before SSL, not intercepting them over the network. Getting the secret would be harder but I assume it's stored somewhere in the app or app data and could be extracted. I'd be surprised if social media apps are storing it in the TPM.
I guess it comes down to whether it's easier/cheaper to do all of the above than to just buy a bunch of physical phones.