Will Instagram* work without a VPN?


The authors of the application are testing the blocking bypass module in censored countries

The popular social network was banned in Russia in 2022. For many fans of the application, this was a real blow, and Instagram* traffic suffered a huge loss: according to Brand Analytics for October 2022, the number of authors (bloggers) decreased from 38 million to 17 million in a year, and the number of messages sent fell from 135 million to 40 million over the same period. Now, probably, the owners of the social network are looking for new ways to return their audience. One of them may be the work of Instagram * with a built-in module to bypass blocking in censored countries.

What Instagram Uses*

While testing an updated version of the Instagram* application, one of i2crm’s employees found that the application works normally without using a VPN service. To find out the reason, the company turned to a third-party reverse engineering specialist. As a result of the reverse of the mobile application, it was found that the Android version of Instagram * 260.0.0.23.115 arm64 has a module psiphon.

What is reverse engineering

Reverse engineering (reverse engineering) is the study of some finished device or program, as well as documentation for it, in order to understand the principle of its operation.

Reverse engineering the application: how exactly the Psiphon module was discovered

The Psiphon service is open source, which published on web hosting for IT projects GitHub. To detect a module, first of all, it was necessary to read the documentation on embedding a module in an Android application:

It was found that for the Psiphon module to work on a smartphone, several conditions are required, namely:

First stage

Using the 7-zip archiver, the Instagram* apk file was opened, in which the files were found.

Among these data were interesting:

  • AndroidManifest.xml – it provides detailed information about the application;

  • classes.dex – classes9.dex files are compiled java code;

  • lib folder – native libraries.

File AndroidManifest.xml contains a lot of information about the application, but in this situation, the experts were interested in permissions to access the network. Since the Instagram* application actively uses the Internet connection, the permission check can be skipped, concluding that the condition for accessing the network is met.

Second step: Java code

Next, it was required to unpack the apk file in the decompiler bytecode viewer. A module class was found in it psiphon.

At this point, the Java part in the Instagram* apk file was discovered, confirming the second condition for Psiphon module support.

This extension indicated that the file is a compiled (transformed) java code. To understand what is inside the java code, specialists needed to convert it to its original form, i.e. decompile. In the original java code, a module was found to bypass Psiphon locks.

Third stage: working with the native library

We managed to “look” inside the java code and find the Psiphon module class using Bytecode-viewer. The reverse of the apk file made it possible to find dex files, and during their subsequent decompilation, to find the module class psiphon.

Further, in order to understand how the module works on Android, it was necessary to find a java method that loads the native library. When this method was found, the specialists started looking for a native library. With its help, it was necessary to establish which part of the code is responsible for loading this library on a smartphone.

The native library for 64-bit arm processors in the repository is also publicly available on GitHub Here and has the namelibtun2socks.so“.

To confirm the use of the module, experts examined the java code and found the “startRouting ()” method, which is responsible for loading the native part of the module.

In the “startRouting()” method, an interface was found, into which the name of the native library is passed. The interface itself uses the Android system api method “loadLibrary()“. This method is the Android code itself and is responsible for loading the native library into the device’s memory and making its exported functions available to the java code. In turn, this makes it possible to interact with compiled C / C ++ code from java.

This is how the same function looks like in the decompiled java code:

When unpacking an application, the location of libraries in a directory is usually lib\.

However, along this path libtun2socks.so could not be found. Therefore, I had to look into assets\lib, where the Instagram* application can also store native libraries.

The folder contains two files:

  • libs.spo – archive with libraries;

  • metadata.txt – list of libraries with sha-256 hash and size of each file.

But the native library was not found in metadata.txt either. All that was known initially was that Instagram* automatically unpacks the libs.spo archive into a protected part of the device’s memory /data/data/com.instagram.android/lib-compressed/ when the application is first launched.

Thus, the third condition was not met (the presence of a native library libtun2socks.so). From the first three conditions, we can conclude that the use of the module is impossible due to the lack of a key library.

The specialists decided to check whether the developers have only added the code of the module or have already begun its active implementation.

Calling the java code of the Psiphon module from the java code of Instagram* using the example of installation in an Android application

To understand exactly how the Psiphon module is installed in an Android application, you can consider example from open sources

The module is created using the newPsiphonTunnel() method, its code looks like this:

The newPsiphonTunnelImpl() method looks like this:

When installing the module in Android, another native gojni library is encountered. During reverse engineering, it was not noticed. When re-examining the repository, maven was found aar– a module for integrating Psiphon into Android Studio projects.

Further, when opening the aar file with the 7-Zip archiver, the specialists found the required library and resources.

Based on this, the following conclusion can be drawn: Psiphon module requires libtun2socks.so and libgojni.so to work.

After the installations, the specialists returned to Instagram* again and fixed the paths where the libraries are stored:

  • /data/data/com.instagram.android/lib-compressed/

  • /lib/

    The library was not found again. Then an attempt was made to find the Instagram* code that refers to the newPsiphonTunnel() method.

This operation found a call from the Instagram* code of the desired Psiphon module. This study with the installation of the Psiphon module in Android showed that in general the module is not fully used, but, as expected, is at the implementation stage. Probably, Meta* can use this service in the future in order to avoid blocking Instagram* by censor countries.

What is the Psiphon service?

The Psiphon VPN service was developed in 2006 at the University of Toronto. It is designed to bypass censorship from state regulators in countries such as China and Iran. You can read more about how VPN services work. In this article.

Psiphon has a complex mechanism, and its traffic is almost impossible to catch, for example, through DPI filtering systems. It provides Internet access through a proxy server in another country, and if the server becomes unavailable, it changes it automatically. Now, apparently, Instagram* has decided to “sew” the lock bypass module directly into the application in order to save users from having to look for options to enter it.

Is the Psiphon module dangerous in terms of transferring data between Instagram* users? Its creators can see the domains being accessed, but they can’t see user data. This is because the module is a local proxy server to which encrypted Instagram* traffic is redirected. However, interception is not enough to read it, decryption is also required. In other words, the module can receive data in a generalized form and use it, for example, to set up advertising traffic, but it cannot receive browser history and cookies.

Why Instagram* doesn’t use Telegram’s methods

Instagram* traffic has been blocked since March 14, 2022 by Russian Internet providers at the request of the Prosecutor General’s Office of the Russian Federation. The application cannot independently bypass blocking, as Telegram does, using different IP addresses.

Telegram uses an instant change of IPv4 addresses on Amazon, Google, DigitalOcean hosting to bypass blocking. If these addresses are forcibly blocked, then other sites and applications based on hosting data will inevitably fail. This method is not used in China, where the listed servers are blocked by the state regulator.

Telegram also uses IPv6 addresses that regulators are not yet able to massively identify and block. Another way to protect against possible blocking is the ability to proxy connections via the SOCKS5 and MTProto protocols and auto-configuration bots from proxy and VPN service providers.

The transfer of messages between Telegram users is carried out directly via the P2P protocol using a built-in Proxy similar to Tor. It is possible to block such a protocol only at the end IP addresses of users, that is, in fact, by disconnecting everyone from the network.

Conclusion

The study of the operation of the Psiphon module in the Android version of Instagram* 260.0.0.23.115 arm64 was carried out in two ways: using the reverse engineering of the application and by calling the Instagram* java code using the example of installation in an Android application. The study was conducted using information obtained from open sources and resources.

Experts found that the module is not currently fully used. Most likely, it is being tested and will be built into the application in the future in order to avoid blocking Instagram * by regulators in censored countries.

*Meta Platforms Inc. (Facebook, Instagram) – recognized as extremist, its activities are prohibited in Russia.

Similar Posts

Leave a Reply

Your email address will not be published. Required fields are marked *