├── LICENSE
├── README.md
├── examples
    ├── follow.php
    ├── login.php
    ├── searchuser.php
    └── unfollow.php
└── src
    ├── musically.php
    └── stored_data
        └── stored.json


/LICENSE:
--------------------------------------------------------------------------------
 1 | MIT License
 2 | 
 3 | Copyright (c) 2017 mangledbottles
 4 | 
 5 | Permission is hereby granted, free of charge, to any person obtaining a copy
 6 | of this software and associated documentation files (the "Software"), to deal
 7 | in the Software without restriction, including without limitation the rights
 8 | to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
 9 | copies of the Software, and to permit persons to whom the Software is
10 | furnished to do so, subject to the following conditions:
11 | 
12 | The above copyright notice and this permission notice shall be included in all
13 | copies or substantial portions of the Software.
14 | 
15 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
16 | IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
17 | FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
18 | AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
19 | LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
20 | OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
21 | SOFTWARE.
22 | 


--------------------------------------------------------------------------------
/README.md:
--------------------------------------------------------------------------------
 1 | # TikTok Private API (Musically API)
 2 | ![TikTok Logo](https://i.imgur.com/JArtreY.png "TikTok Private API")
 3 | Reverse engineered TikTok (previously Musically) Private API written in PHP, this project is no longer maintained.
 4 | 
 5 | ## Background
 6 | This API was reverse engineered using [MITM (Man in the middle) Attacks](https://en.wikipedia.org/wiki/Man-in-the-middle_attack) to intercept encrypted API requests between the TikTok iOS Application and the TikTok API Server.
 7 | 
 8 | The tools used to capture the endpoints were [Charles Proxy](https://charlesproxy.com), [SSL Proxying](https://www.charlesproxy.com/documentation/proxying/ssl-proxying/), and [SSL Kill Switch](https://github.com/nabla-c0d3/ssl-kill-switch2) for [SSL Certificate Pinning](https://www.digicert.com/dc/blog/certificate-pinning-what-is-certificate-pinning/).
 9 | 
10 | ### Charles Proxy
11 | > Charles is an HTTP proxy / HTTP monitor / Reverse Proxy that enables a developer to view all of the HTTP and SSL / HTTPS traffic between their machine and the Internet enables a developer to view all of the HTTP and SSL / HTTPS traffic between their machine and the Internet.
12 | Charles allows you to set up a local VPN connection that monitors any devices traffic including sockets.
13 | 
14 | ### SSL Proxying
15 | [Transport Layer Security (TLS)](https://en.wikipedia.org/wiki/Transport_Layer_Security) which has replaced [Secure Socket Layer (SSL)](https://en.wikipedia.org/wiki/Transport_Layer_Security) creates an E2EE (end-to-end encrypted) connection between a client and a server (eg your phone and a website).
16 | TikTok's API used TLS encryption, so any data send between the TikTok App and the TikTok servers through Charles Proxy is completely encrypted and cannot be read.
17 | However, SSL Proxying can be used to surcumvent this protection.
18 | 
19 | By installing a custom SSL Certificate on your device, you hold the decryption keys to the encrypted data and can view all requests in plain text.
20 | 
21 | ### SSL Certificate Pinning
22 | The strongest protection developers take to secure their APIs from being intercepted is SSL Certificate Pinning.
23 | [This article](https://www.digicert.com/dc/blog/certificate-pinning-what-is-certificate-pinning/ "Certificate Pinning Article") explains Certificate Pinning in greater detail however it is a checker built into the application. It ensures that the SSL/TLS Certificate is one approved by a certificate authority (CA). This causes all requests where Charles Proxy is attempting to intercept requests using SSL Proxying as the device trusted SSL/TLS Certificate is invalid.
24 | 
25 | This can be circumvented on a [Jailbroken iOS Device](https://en.wikipedia.org/wiki/IOS_jailbreaking) by installing [SSL Kill Switch](https://github.com/nabla-c0d3/ssl-kill-switch2). This software provides the ability to patch low-level functions responsible for handling SSL/TLS connections in order to override and disable the system's default certificate validation, as well as any kind of custom certificate validation (such as certificate pinning).
26 | 
27 | ### TikToks Progressive Steps to Prevent API Monitoring
28 | Security through ambiguity does not work. However, TikTok now send a unique ID header with every single request that comprised of many factors. This header is verified by the server and if the unique ID is incorrect, the request is rejected. The unique ID is assumed to contain details such as Timestamp, Device ID and API endpoints. This unique ID algorithm can be reverse engineered. The difficulty is reverse engineering the whole iOS application. There have been many projects that have succesfully reverse engineered these unique IDs. 
29 | 
30 | ## How to use
31 | See examples in /examples
32 | Most API endpoints are depreciated at this point, proof of concept testing may occur.
33 | 


--------------------------------------------------------------------------------
/examples/follow.php:
--------------------------------------------------------------------------------
 1 | <?php
 2 | include('../src/musically.php');
 3 | $username = '';
 4 | $password = '';
 5 | $userId = '';
 6 | 
 7 | $i = new \MusicallyAPI\Musically();
 8 | 
 9 | 	try{
10 | 		$i->login($username, $password);	
11 | 	}catch (Exception $e){
12 | 		var_dump($e);
13 | 	}
14 | 
15 | 	try{
16 | 		$resp = $i->follow($userId);
17 | 		echo $resp;
18 | 	}catch (Exception $e){
19 | 		var_dump($e);
20 | 	}
21 | ?>
22 | 


--------------------------------------------------------------------------------
/examples/login.php:
--------------------------------------------------------------------------------
 1 | <?php
 2 | 
 3 | include('../src/musically.php');
 4 | $username = '';
 5 | $password = '';
 6 | 
 7 | $i = new \MusicallyAPI\Musically();
 8 | 
 9 | 	try{
10 | 		$resp = $i->login($username, $password);
11 | 		// var_dump($resp);
12 | 		echo $resp;
13 | 
14 | 	}catch(Exception $e){
15 | 		var_dump($e);
16 | 	}
17 | 


--------------------------------------------------------------------------------
/examples/searchuser.php:
--------------------------------------------------------------------------------
 1 | <?php
 2 | include('../src/musically.php');
 3 | $username = '';
 4 | $password = '';
 5 | $searchTerm = '';
 6 | $pageNo = '';
 7 | 
 8 | $i = new \MusicallyAPI\Musically();
 9 | 
10 | 	try{
11 | 		$i->login($username, $password);
12 | 	}catch (Exception $e){
13 | 		var_dump("An error occurred: " . $e);
14 | 	}
15 | 
16 | 	try{
17 | 		$resp = $i->searchUsers($searchTerm);
18 | 		$resp = json_decode($resp);
19 | 		$userId = $resp->full_response->result->list[0]->userId;
20 | 	}catch (Exception $e){
21 | 		var_dump("An error occurred: " . $e);
22 | 	}
23 | 
24 | 	try{
25 | 		$resp = $i->getUsersDetails($userId);
26 | 		echo $resp;
27 | 	}catch (Exception $e){
28 | 		var_dump("An error occurred: " . $e);
29 | 	}
30 | ?>
31 | 


--------------------------------------------------------------------------------
/examples/unfollow.php:
--------------------------------------------------------------------------------
 1 | <?php
 2 | include('../src/musically.php');
 3 | $username = '';
 4 | $password = '';
 5 | $userId = '';
 6 | 
 7 | $i = new \MusicallyAPI\Musically();
 8 | 
 9 | 	try{
10 | 		$i->login($username, $password);	
11 | 	}catch (Exception $e){
12 | 		var_dump("An error occurred: " . $e);
13 | 	}
14 | 
15 | 	try{
16 | 		$resp = $i->unfollow($userId);
17 | 		echo $resp;
18 | 	}catch (Exception $e){
19 | 		var_dump("An error occurred: " . $e);
20 | 	}
21 | ?>
22 | 


--------------------------------------------------------------------------------
/src/musically.php:
--------------------------------------------------------------------------------
  1 | <?php
  2 | namespace MusicallyAPI;
  3 | 
  4 | 	class Musically{
  5 | 		const API_URL = 'https://api.musical.ly/rest/';
  6 | 
  7 | 		public function __construct(){
  8 | 			header('Content-Type: application/json');
  9 | 		}
 10 | 
 11 | 		/**
 12 | 		* Login
 13 | 		*
 14 | 		* @param $username string login username
 15 | 		* @param $password string login password
 16 | 		**/
 17 | 
 18 | 		public function login($username, $password){
 19 | 			$this->username = $username;
 20 | 			try{
 21 | 				$ch = curl_init();
 22 | 				curl_setopt($ch, CURLOPT_URL, "https://api.musical.ly/rest/passport/v2/login?supportLoginVerify=true");
 23 | 				curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
 24 | 				curl_setopt($ch, CURLOPT_NOBODY, 1);
 25 | 				curl_setopt($ch, CURLOPT_POSTFIELDS, "admin=0&bid&email=%40".$username."&fansNum&featuredScope=0&followNum&gender=n&googleAccount&handle&handleModified&icon&instagramID&likesNum&livelyHearts&nickName&password=".$password."&realName&registered=0&remember_me=on&reviewer=0&source&suspicious=0&userDesc&userId&userSettingDTO[birthDay]&userSettingDTO[birthYear]&userSettingDTO[countryCode]&userSettingDTO[duet]&userSettingDTO[hideLocation]&userSettingDTO[languageCode]&userSettingDTO[policyVersion]&userSettingDTO[privateChat]&userSettingDTO[secret]&userSettingDTO[timeZone]&username=%40".$username."&verified=0&verifiedPhone=0&youtubeChannelId&youtubeChannelTitle");
 26 | 				curl_setopt($ch, CURLOPT_POST, 1);
 27 | 				curl_setopt($ch, CURLOPT_ENCODING, 'gzip, deflate');
 28 | 				curl_setopt($ch, CURLOPT_HEADER, 1);
 29 | 				$headers = array();
 30 | 				$headers[] = "Host: api.musical.ly";
 31 | 				$headers[] = "X-Requested-With: XMLHttpRequest";
 32 | 				$headers[] = "User-Agent: Musical.ly/20170524004 (iPhone; iOS 9.0.1; Scale/2.00)";
 33 | 				$headers[] = "Country: US";
 34 | 				$headers[] = "Language: en-US";
 35 | 				$headers[] = "X-Request-Info5: eyJtZXRob2QiOiJQT1NUIiwib3MiOiJpT1MgOS4wLjEiLCJYLVJlcXVlc3QtSUQiOiJENzY5OERGMS0zNjc2LTQ5OUYtQUVBQS05RUJFNjU2NEUzMkYiLCJvc3R5cGUiOiJpb3MiLCJkZXZpY2VpZCI6ImkwY2Q3NzBjNmFmNGQzNDY1OWJhNzIxMTA3OTA2NmRlOGJiMyIsInZlcnNpb24iOiI1LjcuMSIsInRpbWVzdGFtcCI6IjE0OTYwODY1NzYwMDAiLCItciI6IjUwNTQiLCJ1cmwiOiJodHRwczpcL1wvYXBpLm11c2ljYWwubHlcL3Jlc3RcL3Bhc3Nwb3J0XC92MlwvbG9naW4/c3VwcG9ydExvZ2luVmVyaWZ5PXRydWUifQ==";
 36 | 				$headers[] = "Version: 5.7.1";
 37 | 				$headers[] = "Os: iOS 9.0.1";
 38 | 				$headers[] = "Build: 20170524004";
 39 | 				$headers[] = "Slider-Show-Cookie: ";
 40 | 				$headers[] = "X-Request-Sign5: 01i65393211a23cded01ae6736be3aab1bec21f7dcbd";
 41 | 				$headers[] = "Authorization: M-TOKEN \"hash\"=";
 42 | 				$headers[] = "Mobile: iPhone8,1";
 43 | 				$headers[] = "Slider-Show-Session: i0cd770c6af4d34659ba7211079066de8bb3";
 44 | 				$headers[] = "Accept-Language: en-US;q=1";
 45 | 				$headers[] = "X-Request-Id: D7698DF1-3676-499F-AEAA-9EBE6564E32F";
 46 | 				$headers[] = "Timezone: IST";
 47 | 				$headers[] = "Network: WiFi";
 48 | 				$headers[] = "Accept: application/json";
 49 | 				$headers[] = "Content-Type: application/x-www-form-urlencoded; charset=utf-8";
 50 | 				$headers[] = "-R: 5054";
 51 | 				curl_setopt($ch, CURLOPT_HTTPHEADER, $headers);
 52 | 				$result = curl_exec($ch);
 53 | 				curl_close ($ch);
 54 | 
 55 | 			    $headers=array();
 56 | 			    $data=explode("\n", $result);
 57 | 
 58 | 			    $this->store = new \Stdclass();
 59 | 			    $this->store->username = $username;
 60 | 			    $this->store->password = $password;
 61 | 
 62 | 			    $dexplore = explode('=', $data[6]);
 63 | 
 64 | 			    $this->store->slider_cookie = $dexplore[1];
 65 | 			    $this->store->token_expiration = $dexplore[3];
 66 | 
 67 | 
 68 | 			    $dexplore1 = explode('"', $data[7]);
 69 | 			    $this->store->authentication_hash = $dexplore1[1];
 70 | 
 71 | 			    if($this->store($this->store)){
 72 | 				return $this->Response(explode('=', $data[11])[0]);
 73 | 			    }else{
 74 | 				throw new \Exception($e . $this->Response($data));
 75 | 			    }
 76 | 			}catch(Exception $e){
 77 | 				return 'ERROR: '.$e;
 78 | 			}
 79 | 
 80 | 
 81 | 		}
 82 | 
 83 | 		/**
 84 | 		* Follow user
 85 | 		*
 86 | 		* @param $userId int|string user to follow
 87 | 		**/
 88 | 
 89 | 		public function follow($userId = NULL){
 90 | 
 91 | 			$requestData = $this->request(
 92 | 				"graph/operations/friendship/{$userId}/"
 93 | 				);
 94 |         	return $this->Response($requestData);
 95 | 		}
 96 | 
 97 | 		/**
 98 | 		* Unfollow user
 99 | 		*
100 | 		* @param $userId int|string user to unfollow
101 | 		**/
102 | 
103 | 		public function unfollow($userId = NULL){
104 | 			$requestData = $this->request(
105 | 				"graph/operations/friendship/{$userId}/", 
106 | 				["headers" => [CURLOPT_CUSTOMREQUEST => 'DELETE'] ],
107 | 				NULL
108 | 				);
109 | 			// curl_setopt($ch, CURLOPT_CUSTOMREQUEST, "DELETE");
110 |         	return $this->Response($requestData);
111 | 			
112 | 		}
113 | 
114 | 		/**
115 | 		* Search for user by search term
116 | 		*
117 | 		* @param $searchTerm string The search term
118 | 		* @param $pageNo int Pagination
119 | 		**/
120 | 
121 | 		public function searchUsers($searchTerm = NULL, $pageNo = 1){
122 | 			$requestData = $this->request(
123 | 				"discover/user/find_user_v1?pageNo={$pageNo}&___d=eyJhYyI6IkxJU1QiLCJieiI6ImZpbmRfdXNlciIsImRtIjoiVVNFUiIsInZlciI6InYxIn0%3D&keyword={$searchTerm}",
124 | 				["headers" => [CURLOPT_CUSTOMREQUEST => 'GET'] ],
125 | 				NULL
126 | 				);
127 | 
128 | 			return $this->Response($requestData);
129 | 		}
130 | 
131 | 		/**
132 | 		* Get details of users account from their userId
133 | 		*
134 | 		* @param $userId int|string Users ID to get
135 | 		**/
136 | 
137 | 		public function getUsersDetails($userId = NULL){
138 | 			$requestData = $this->request(
139 | 				"user/{$userId}?user_vo_relations=all",
140 | 				["headers" => [CURLOPT_CUSTOMREQUEST => 'GET'] ],
141 | 				NULL
142 | 				);
143 | 			// get users posts
144 | 			// $requestData2 = $this->request(
145 | 			// 	"discover/musical/owned/list/Yrs2DW4X8sbayZJNFXf8lV8BGYJs6vd69fGQ8eA9?limit=20&anchor=0&target_user_id={$userId}"
146 | 			// 	);
147 | 
148 | 			return $this->Response($requestData);
149 | 		}
150 | 
151 | 		// PRIVATE FUNCTIONS 
152 | 
153 | 		private function store($store = array()){
154 | 			$json = file_get_contents(__DIR__.'/stored_data/stored.json');
155 | 			$data = json_decode($json, true);
156 | 
157 | 				$username = $store->username;
158 | 				$data['usernames'][$username]['username'] = $store->username;
159 | 				$data['usernames'][$username]['password'] = $store->password;
160 | 				$data['usernames'][$username]['timestamp'] = date("D, d M Y G:i:s e");
161 | 				$data['usernames'][$username]['slider_cookie'] = $store->slider_cookie;
162 | 				$data['usernames'][$username]['token_expiration'] = $store->token_expiration;
163 | 				$data['usernames'][$username]['authentication_hash'] = $store->authentication_hash;
164 | 
165 | 			$updatedJson = json_encode($data);
166 | 			if(file_put_contents(__DIR__.'/stored_data/stored.json', $updatedJson)){
167 | 				return true;
168 | 			}else{
169 | 				return false;
170 | 			}
171 | 		}
172 | 
173 | 		private function getUserData($username = NULL){
174 | 			$json = file_get_contents(__DIR__.'/stored_data/stored.json');
175 | 			$data = json_decode($json, true);
176 | 
177 | 			return $data['usernames'][$username];
178 | 		}
179 | 
180 | 		/**
181 | 		* Carry out the API requests.
182 | 		*
183 | 		* @param string $url Request URL
184 | 		* @param array $additionalcUrlHeaders eg ["headers" => ['header1'=>'value1'], ['header2' => 'value2'] ]
185 | 		* @param array $additionalHeaders eg ['value1', 'value2', 'value3']
186 | 		**/
187 | 
188 | 		private function request($url, $additionalcUrlHeaders = NULL, $additionalHeaders = NULL){
189 | 			$accountData = $this->getUserData($this->username);
190 | 
191 | 			$ch = curl_init();
192 | 	        curl_setopt($ch, CURLOPT_URL, self::API_URL.$url);
193 | 	        curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
194 | 	        curl_setopt($ch, CURLOPT_POST, 1);
195 | 	        curl_setopt($ch, CURLOPT_ENCODING, 'gzip, deflate');
196 | 	        if(isset($additionalcUrlHeaders)){
197 | 	        	foreach($additionalcUrlHeaders as $addcUrlHeaders){
198 | 	        		$key = key($addcUrlHeaders);
199 | 	        		curl_setopt($ch, $key, $addcUrlHeaders[$key]);
200 | 	        	}
201 | 	        }
202 | 	        $headers = array();
203 | 	        if(isset($additionalHeaders)){
204 | 	        	foreach($additionalHeaders as $addHeaders){
205 | 	        		$headers[] = $addHeaders;
206 | 	        	}
207 | 	        }
208 | 	        $headers[] = "Host: api.musical.ly";
209 | 	        $headers[] = "X-Requested-With: XMLHttpRequest";
210 | 	        $headers[] = "User-Agent: Musical.ly/20170420008 (iPhone; iOS 9.0.1; Scale/2.00)";
211 | 	        $headers[] = "X-Request-Sign3: I6dbcd2882dacaeec7583547249f15ead22328d3f7";
212 | 	        $headers[] = "Country: US";
213 | 	        $headers[] = "Language: en-US";
214 | 	        $headers[] = "Version: 5.5.3";
215 | 	        $headers[] = "Os: iOS 9.0.1";
216 | 	        $headers[] = "Build: 20170420008";
217 | 	        $headers[] = "Slider-Show-Cookie: ".$accountData['slider_cookie'];
218 | 	        $headers[] = "Authorization: M-TOKEN \"hash\"=\"".$accountData['authentication_hash']."\" \"status\"=\"000\"";
219 | 	        $headers[] = "Mobile: iPhone8,1";
220 | 	        $headers[] = "Slider-Show-Session: 2fd93ff1bd1647a093c897c3aee912b5";
221 | 	        $headers[] = "Accept-Language: en-US;q=1";
222 | 	        $headers[] = "X-Request-Id: 3E488C11-A010-4B8E-99A0-F5799365609C";
223 | 	        $headers[] = "Timezone: IST";
224 | 	        $headers[] = "Network: WiFi";
225 | 	        $headers[] = "Accept: application/json";
226 | 	        $headers[] = "X-Request-Info3: eyJvc3R5cGUiOiJpb3MiLCJvcyI6ImlPUyA5LjAuMSIsIlgtUmVxdWVzdC1JRCI6IjNFNDg4QzExLUEwMTAtNEI4RS05OUEwLUY1Nzk5MzY1NjA5QyIsInNsaWRlci1zaG93LWNvb2tpZSI6ImJsODJNekl5TURBeE5UQXpNemMzTkRBNE1EcDFhakZvYVUweFJqRTJMMXAwWlZCdlRsVlRaVEpSUFQwNlpUazNPRE5sTXpjMVpUZzROV0ZsTURBd05tWXdZMk16T0RobVpUSmhNamM2TmpNeU1qQXdNVFV3TXpNM056UXdPREEiLCJtZXRob2QiOiJQT1NUIiwiZGV2aWNlaWQiOiIyZmQ5M2ZmMWJkMTY0N2EwOTNjODk3YzNhZWU5MTJiNSIsInZlcnNpb24iOiI1LjUuMyIsInRpbWVzdGFtcCI6IjE0OTQxMDc1MzAwMDAiLCJ1cmwiOiJodHRwczpcL1wvYXBpLm11c2ljYWwubHlcL3Jlc3RcL2dyYXBoXC9vcGVyYXRpb25zXC9mcmllbmRzaGlwXC82Njg0ODI3NDU3NzQxNjE5MiJ9";
227 | 	        $headers[] = "Content-Type: application/x-www-form-urlencoded";
228 | 	        curl_setopt($ch, CURLOPT_HTTPHEADER, $headers);
229 | 	        $result = curl_exec($ch);
230 | 	        curl_close ($ch);
231 | 	        return $result;
232 | 		}
233 | 
234 | 		private function Response($requestData){
235 | 			$requestData = json_decode($requestData);
236 | 
237 | 			$resp = new \Stdclass();
238 | 			$resp->success = $requestData->success;
239 | 			if(isset($requestData->result->hasNext)){
240 | 				$resp->hasNext = $requestData->result->hasNext;
241 | 			}
242 | 			$resp->full_response = $requestData;
243 | 
244 | 			$resp = json_encode($resp);
245 | 			return $resp;
246 | 		}
247 | 	}
248 | 
249 | ?>
250 | 


--------------------------------------------------------------------------------
/src/stored_data/stored.json:
--------------------------------------------------------------------------------
 1 | {
 2 | 	"usernames" : 
 3 | 		{
 4 | 			"JessicaSmith6397" : 
 5 | 				{
 6 | 					"username" : "JessicaSmith6397",
 7 | 					"password" : "Password123"
 8 | 				},
 9 | 
10 | 			"anotheraccount" :
11 | 				{
12 | 					"username" : "anotheraccount",
13 | 					"password" : "Password123"
14 | 				}
15 | 		}
16 | 	
17 | }


--------------------------------------------------------------------------------