add protobuf-based v3 sms auth script

[jimtje]

Added a quick script to enable v3 sms auth to get the token. Just run python sms_auth_v3.py after installing the new requirements either by pip install -r requirements.txt or simply installing the betterproto package.

[mati0090]

Probably, all .proto files, except authgateway.proto can be removed. Seems that generic Google Protobuf types was extracted during disassemble process.

[sutble]

Hey, awesome work with this! Do you know why there's an extra step involving email authentication? On the tinder app this step isnt required. Also I noticed that the tinder text message is different than the one received from the app? Let me know if there's any additional work that needs to be done on this, would gladly jump in and help.

[jimtje]

I don't actually know if it pops up every time for everyone, for testing I created a throwaway account with a Google voice number and disposable email and I suspected that the email verification wouldn't pop up if I had used a real email. The text message I receive on Google Voice actually is the same from the app and the script, but differs from the web-ui, probably because it's tied to the build/version that's hardcoded into the headers right now because there wasn't a way to dynamically get the latest available version. Tinder pushes out a new build every week or two but it doesn't seem immediately necessary to keep up as long as it still logs in.

I think since the most immediate problem was that not having the auth token meant no programmatic access at all to their API at least that aspect is all good until it breaks. I think the more interesting stuff that's visible in the app's code but not online (or at least not accessible to me) looks like some sort of websocket and protobuf-based chat system that allows the creation of rooms, kicking of users, and use of video (Tinder-Zoom hybrid?) When that feature is fleshed out and available it would probably be the next thing to be added, but no idea as to if or when that's going to be a thing yet.

[nikitaKravchenko]

@fbessez, this is a good pull request, looks like.
Just curious, are you going to merge it to master branch?

[0xhiroki]

Has anyone been able to use the apis? I was able to fetch the token through sms_auth_v3.py, but I keep getting the following error when using "get_recs_v2" api:

{'meta': {'status': 401}, 'error': {'message': 'SESSION_INVALID', 'code': 40101}}

I pasted the token from running sms_auth_v3.py into config.py.

[jimtje]

There are a bunch of headers that seems required with making actual api calls now, and the client needs to be able to keep consistent "app-session-time-elapsed" and "user-session-time-elapsed" in the correct order it seems. So I think going forward it may simply be necessary to flesh things out by building more or less the entire api client out. In that case it probably would make more sense for me to either fork the project entirely or build something a bit more structured from scratch.

I also have a few other projects on my plate right now, and with those, a few deadlines lurking. I'll try my best to figure out something that is both maintainable and easy to work with but no guarantees on timelines. The auth flow I put in has some rudimentary app session spoofing built in if anyone wants to just extend it out from there in terms of headers but I have no idea whether that's actually sufficient since it's not keeping a real tally of time and it just randomly generates some possible numbers for the slot.

[pawelfluder]

Hi I was using code from your pull-request and it was working very well.
But now I have good request response:
{'validatePhoneOtpState': {'phone': '+48..[myPhoneNumerHere]', 'otpLength': 6, 'smsSent': True}}

but no sms is send. Any idea what can be wrong?
Anything changed in tinder api since last month?
Do I need to update sth to make this work again?

[jimtje]

Hi I was using code from your pull-request and it was working very well. But now I have good request response: {'validatePhoneOtpState': {'phone': '+48..[myPhoneNumerHere]', 'otpLength': 6, 'smsSent': True}}

but no sms is send. Any idea what can be wrong? Anything changed in tinder api since last month? Do I need to update sth to make this work again?

Hey there. The last version from the Play Store (in the US at least) is dated December 5. I would be pretty surprised if they changed anything about the api in the interim. Can you login from a phone? Have you successfully logged in since Dec. 5? Or is it a problem that came up before then?

I'm stuck in quarantine overseas right now in a country that isn't served by Tinder and also, blocks Google wholesale so I can't check my Google Voice to test the sms part anyway, even if I rig up something that can hit their api endpoint, and without going too much into it I don't really know when I'll be able to test but it'll be a few weeks at least and likely 1-2 months. I got my hands on the latest apk and it doesn't look like the login/auth part changed much, mostly things got moved around but the endpoint seems the same and as does the .proto files associated with the 2fa auth gateway. That doesn't mean that they didn't change anything, but it's nothing obvious in the code.

If anything, it could just be that the server no longer accepts headers indicating that the client is a version of Tinder from almost 2 years ago, and so I'll update the headers and hope for the best. Let me know if that helps. I'll push a commit at some point next day or two to get the latest version numbers and all that in place. However, do try to log in the normal way if you can to eliminate backend changes they've done that we can't see or do anything about. Also, I have no idea if they put out different apks (usually for legal purposes) and have different backends set up in non-US jurisdictions, so maybe it's worth trying with a different account to see if that works. At the very least it will narrow down the potential problems by process of elimination.

[THEWEZERNOW]

Hey @jimtje, can you push an update for the headers, please?

[Scylla2020]

I believe they are also checking header order now. Always works for me in this order:

headers = {
    'user-agent': "Tinder Android Version 14.9.0", 
    'os-version': "29",
    'app-version': "4467", 
    'platform': "android", 
    'platform-variant': "Google-Play", 
    'x-supported-image-formats': "webp",
    'accept-language': "en-US",
    'tinder-version': "14.9.0", 
    'Store-Variant': 'Play-Store',
    'persistent-device-id': deviceid,
    'content-type': "application/x-protobuf",
    'Host': 'api.gotinder.com',
    'connection': "close",
    'accept-encoding': "gzip", 
}

[gelodefaultbrain]

Hi! it seems that it works but I can't receive the SMS OTP? can we work on this? I think this is on the right track cause I see that tinder has changed their way of the API indeed , with v3

[gelodefaultbrain]

Hi I was using code from your pull-request and it was working very well. But now I have good request response: {'validatePhoneOtpState': {'phone': '+48..[myPhoneNumerHere]', 'otpLength': 6, 'smsSent': True}}
but no sms is send. Any idea what can be wrong? Anything changed in tinder api since last month? Do I need to update sth to make this work again?

Hey there. The last version from the Play Store (in the US at least) is dated December 5. I would be pretty surprised if they changed anything about the api in the interim. Can you login from a phone? Have you successfully logged in since Dec. 5? Or is it a problem that came up before then?

I'm stuck in quarantine overseas right now in a country that isn't served by Tinder and also, blocks Google wholesale so I can't check my Google Voice to test the sms part anyway, even if I rig up something that can hit their api endpoint, and without going too much into it I don't really know when I'll be able to test but it'll be a few weeks at least and likely 1-2 months. I got my hands on the latest apk and it doesn't look like the login/auth part changed much, mostly things got moved around but the endpoint seems the same and as does the .proto files associated with the 2fa auth gateway. That doesn't mean that they didn't change anything, but it's nothing obvious in the code.

If anything, it could just be that the server no longer accepts headers indicating that the client is a version of Tinder from almost 2 years ago, and so I'll update the headers and hope for the best. Let me know if that helps. I'll push a commit at some point next day or two to get the latest version numbers and all that in place. However, do try to log in the normal way if you can to eliminate backend changes they've done that we can't see or do anything about. Also, I have no idea if they put out different apks (usually for legal purposes) and have different backends set up in non-US jurisdictions, so maybe it's worth trying with a different account to see if that works. At the very least it will narrow down the potential problems by process of elimination.

Hi @jimtje , any updates so far, hope you're doing okay.

[gelodefaultbrain]

UPDATE!
This headers worked for me, thanks to this comment it gave me clues. Now one thing I noticed is , NEVER EVER TRY TO SPAM upon trying to get SMS OTP, tinder seems to be very strict

        headers = {
            'user-agent': "Tinder Android Version 12.6.0", 
            'os-version': "25",
            'app-version': "4023", 
            'platform': "android", 
            'platform-variant': "Google-Play", 
            'x-supported-image-formats': "webp",
            'accept-language': "en-US",
            'tinder-version': "12.6.0", 
            'store-Variant': 'Play-Store',
            'persistent-device-id': self.deviceid,
            'content-type': "application/x-protobuf",
            'host': 'api.gotinder.com',
            'connection': "close",
            'accept-encoding': "gzip,deflate, br",

             'install-id': self.installid,
             'app-session-id': self.appsessionid,
             'funnel-session-id': self.funnelid,
             'app-session-time-elapsed': format(seconds, ".3f")
        }

[gelodefaultbrain]

Hi! I just encountered this

urllib3.connectionpool:_make_request:2023-11-15 16:27:45,992:DEBUG:https://api.gotinder.com:443 "POST /v3/auth/login HTTP/1.1" 403 153
Application_Logger:__submit_email_otp_code:2023-11-15 16:27:45,994:DEBUG:submit_email_otp_response: {'error': {'code': 40307, 'message': 'APPEAL_BAN', 'banReason': {'banAppeal': {'challengeType': 'arkose', 'challengeToken': '7ec728b7-d1e3-4edf-972a-3f0facf64293', 'refreshToken': 'eyJhbGciOiJIUzI1NiJ9.MTkwOTcyNzcyNDg.0BItH781Xc201saXLHzzVuFPs1zqrrIIyqGuc3HihUA'}}}}
Application_Logger:__submit_email_otp_code:2023-11-15 16:27:45,994:DEBUG:Success submitting Email OTP code.
Application_Logger:__submit_email_otp_code:2023-11-15 16:27:45,995:ERROR:Error submitting Email OTP code: 'loginResult'
urllib3.connectionpool:_get_conn:2023-11-15 16:28:46,644:DEBUG:Resetting dropped connection: api.gotinder.com
urllib3.connectionpool:_make_request:2023-11-15 16:28:46,889:DEBUG:https://api.gotinder.com:443 "POST /v3/auth/login HTTP/1.1" 403 153
Application_Logger:__submit_email_otp_code:2023-11-15 16:28:46,891:DEBUG:submit_email_otp_response: {'error': {'code': 40307, 'message': 'APPEAL_BAN', 'banReason': {'banAppeal': {'challengeType': 'arkose', 'challengeToken': 'd9b7ee8d-841c-4626-97a9-27ef2e0cc73f', 'refreshToken': 'eyJhbGciOiJIUzI1NiJ9.MTkwOTcyNzcyNDg.0BItH781Xc201saXLHzzVuFPs1zqrrIIyqGuc3HihUA'}}}}
Application_Logger:__submit_email_otp_code:2023-11-15 16:28:46,891:DEBUG:Success submitting Email OTP code.
Application_Logger:__submit_email_otp_code:2023-11-15 16:28:46,891:ERROR:Error submitting Email OTP code: 'loginResult'

I think it''s somehow related to captchas? any way to bypass it?

[bitcoin4cashqc]

It is working and I didnt got anything with captcha yet. But I noticed this error :

line@line-dell:~/Desktop/Tinder$ python3 sms_auth_v3.py
This script will use the sms login to obtain the auth token, which will be saved to smstoken.txt
smstoken.txt found, if you wish to auth again from scratch, delete smstoken.txt
authToken found: -----------------------
Attempting to refresh auth token with saved refresh token
{'getPhoneState': {'refreshToken': '-------------------------------------'}}
{'error': {'code': 40120}}
Traceback (most recent call last):
  File "/home/line/Desktop/Tinder/sms_auth_v3.py", line 144, in <module>
    TinderSMSAuth(email=emailaddy)
  File "/home/line/Desktop/Tinder/sms_auth_v3.py", line 38, in __init__
    self.login()
  File "/home/line/Desktop/Tinder/sms_auth_v3.py", line 129, in login
    response = self.loginwrapper(messageout, seconds, headers)
  File "/home/line/Desktop/Tinder/sms_auth_v3.py", line 62, in loginwrapper
    return self.loginwrapper(messageresponse, seconds, header_timer)
  File "/home/line/Desktop/Tinder/sms_auth_v3.py", line 80, in loginwrapper
    elif "error" in response.keys() and response["error"]["message"] == 'INVALID_REFRESH_TOKEN':
KeyError: 'message'

Because there is no message with the error. I'm not sure what cause 40120. Anyone facing this?

[bitcoin4cashqc]

Error codes list that could be usefull

[mnai01]

Error codes list that could be usefull

You ever figure out how to get past this error?

[jimtje]

Hi I was using code from your pull-request and it was working very well. But now I have good request response: {'validatePhoneOtpState': {'phone': '+48..[myPhoneNumerHere]', 'otpLength': 6, 'smsSent': True}}
but no sms is send. Any idea what can be wrong? Anything changed in tinder api since last month? Do I need to update sth to make this work again?

Hey there. The last version from the Play Store (in the US at least) is dated December 5. I would be pretty surprised if they changed anything about the api in the interim. Can you login from a phone? Have you successfully logged in since Dec. 5? Or is it a problem that came up before then?
I'm stuck in quarantine overseas right now in a country that isn't served by Tinder and also, blocks Google wholesale so I can't check my Google Voice to test the sms part anyway, even if I rig up something that can hit their api endpoint, and without going too much into it I don't really know when I'll be able to test but it'll be a few weeks at least and likely 1-2 months. I got my hands on the latest apk and it doesn't look like the login/auth part changed much, mostly things got moved around but the endpoint seems the same and as does the .proto files associated with the 2fa auth gateway. That doesn't mean that they didn't change anything, but it's nothing obvious in the code.
If anything, it could just be that the server no longer accepts headers indicating that the client is a version of Tinder from almost 2 years ago, and so I'll update the headers and hope for the best. Let me know if that helps. I'll push a commit at some point next day or two to get the latest version numbers and all that in place. However, do try to log in the normal way if you can to eliminate backend changes they've done that we can't see or do anything about. Also, I have no idea if they put out different apks (usually for legal purposes) and have different backends set up in non-US jurisdictions, so maybe it's worth trying with a different account to see if that works. At the very least it will narrow down the potential problems by process of elimination.

Hi @jimtje , any updates so far, hope you're doing okay.

Hey, I'm mostly just busy. And I really don't have a whole lot of time or interest since I don't think the pull request is getting merged and I had to take my twitter off my ghub because I get a lot of DMs there about this so that there's no way for me to really even answer all of them. Honestly for something I whipped up in 30 minutes while talking trash with some friends I watch baseball with during the pandemic this has lasted much longer than I thought it would. (Hilariously enough, overseas I got DMCAed by the New York Times out of all people, except every single statement made in their notice is false and they inadvertently committed perjury in the one narrow way one can do so under the DMCA and possibly violated the CFAA, but I can't claim damages since they were so incompetent that service was never interrupted and I didn't notice until they shut the whole thing down 6 months later. Oh well, next time this happens it'll be my 8th try to get some BS DMCA into fed court and nobody has taken up on my offer yet. I should reply with form letters since it's pretty obvious what a legal reply and a form reply looks like. I can't believe they think I'm hosting their entire back catalogue on github still. https://github.com/github/dmca/blob/master/2022/12/2022-12-19-audm.md)

But anyway, in a way I've moved on from reversing this particular app. I'm much more interested in the Hermes/React-Native reverse scene since it seems to be widely used but not nearly as well understood (except you can of course always Frida in and hook to the outbound requests and anything generated, but it's less fun than doing something like this.) I'm not entirely sure why one would have so many rump features-to-be placed in the production apks but Tinder has a habit of doing so. Just guessing blindly, they're probably testing for JA3 signatures too by now - they'd be stupid not to - but that's been known to be something to look out for since... 2019? And there are plenty of ways to bypass that.

A few last notes: Error 40307 is clearly an indicator that your account was banned. That's not really much of a hinderance. Get a new one and if they implemented Arkrose, that has been solved by just about every anti-captcha type service like 2captcha and anticaptcha and etc etc. The refresh token seems to be banned until Fri 3 March 2575 07:14:08 UTC, but when had that ever stopped anyone, really. Arkrose is the outfit behind Funcaptcha which, out of all the dumb uses of AI, this might be a good use of AI to solve if you don't want to deal with a specific captcha solving API (i.e. you already have an API key to your GenAI implementation of choice, why bother signing up elsewhere). But in any case, because of competition, it's cheap either way, and ultimately it involves sending a token as a payload. There are plenty of github repos that show you the code needed so I'll leave it at that. I'm of the belief that if you can get into a system by hand, it can be automated. PoW JS bundles like Akamai's post-Cyberfend BMP products? I solved 6 versions of the mobile version alone, which tends to be stable and unchanged, within a year of learning Python, all to place bets automatically against bookies that still took bets from "sharps" (I prefer 'advantage players who do not tout'). Akamai is also aggressive in DMCA actions and this isn't transformative enough to qualify as an exception, so the source is available in a repo hosted in China if you really need it. I guess people use at least some of that for sneaker bots but that's not a scene I'm involved in (baseball cards/memorabilia, top shelf bourbon, and single malt Islays are what I collect, and it's not digital security but straight up manufactured scarcity that makes them expensive and hard to acquire). It's hard to snipe an auction that doesn't exist, after all.

I may check up from time to time but if anyone wants to take over my fork let me know. I know that I'm hard to get in touch with, but 14 years of involvement with crypto means that I get so much phishing and scam calls that I once had someone posing as an FBI agent call while I'm sitting in a court house next to an FBI agent (my client was about to testify) and that was sort of the last straw... 8 years ago. But Github is a platform with social functions, and at some point I'll have some federated services that I have more direct control over on all aspects that would be available. ATProto has a lot of potential but yoou have to build it out yourself, so, building it myself I shall, I guess. That and Matrix gives me enough self-custody of data and trustless is not just the future, it's now. (It should not surprise anyone that XMR is a significant part of my holdings and I run a fair bit of infrastructure and I'm in touch with the appellate counsel on the Sterlingov case, and that's all I'll say about that)

Happy holidays, best of luck, and stay safe! Remember that in the US, demand a warrant, do not talk to the cops, assert your 5th Amendment rights and not a single word more, and reverse everything that you might run. Oh and read all the ToSes and AI can summarize but ToS is written so that summaries will always miss the operative part. Cheers.