UPDATE 6-26-2015: Something appears to have changed in Snapchat’s API. Images are still decrypting fine, but MP4s are now producing unreadable files. You’re welcome to email me if you figure out what’s going on. Silly me, it was just Snapchat’s zipped media format. The repo has been updated to support zipped media, and it does so rather well if I do say so myself.

UPDATE 7-26-2015: Now you can capture responses automatically with mitmproxy, no Burp Suite required.

UPDATE 10-2-2015: iOS 9’s new App Transport Security functionality prevents this kind of man-in-the-middle proxying, so if you want to keep using SnapCap, don’t upgrade.

While fiddling around with Burp Suite and my iPad, I ended up making a little Node.JS app to fetch, decrypt, and save Snapchat story files from a saved response capture. The README has some general instructions, but I thought I’d post the process I use with Burp Suite.

  1. Run npm install in the folder with package.json and story-decrypt.js.
  2. Find the response you want. It should be paired with a POST request to /loq/all_updates or /bq/stories.
  3. Select the entire response and copy it to a text file. Remove the header section from the text file.
  4. Save the edited response to the repository folder as “cap.json.”
  5. Run node story-decrypt.js in the repository folder. This will create a “stories” folder with story files in it.


Using Burp Suite with iOS

Burp Suite is quite fun to use for API analysis with iOS apps, but it can be a bit tricky at first, since most apps (almost all in iOS 9) use HTTPS. The three important things to do are:

  1. Set Burp Suite to listen on all of your computer’s interfaces.
  2. Make sure Burp Suite generates CA-signed per-host certificates.snapcap-perhost
  3. Install the Burp Suite CA certificate on your device: with Burp Proxy configured, go to http://burp/cert on your device. This will prompt you to install the certificate.

Leave a Reply

Your email address will not be published. Required fields are marked *