Is it still the case that the app only uses HTTPS to create a session and plain HTTP for everything else? I remember that was the case about a year ago after using mitmproxy to sniff traffic, although I don't recall HMAC being used to sign requests then. Anyway, I wondered then why nobody had used firesheep to devastating effect, e.g. a bot sitting on an open wifi and posting NSFW images to any account on the network.
Note that Instagram doesn't encrypt requests to their private API, they're only signing them. In fact the parameter is called 'signed_body', not 'encrypted_body'.<p>Anyway interesting post.
Isn't the fact that they are using a simple HMAC-SHA256 hash also a root of the problem?<p>If instead of using the POST data only to create the hash they added another information, like a the hour of the day. Wouldn't it be way harder for a hacker to actually understand what went into signing the request?
Interesting write up. Seems rather simple, really. Presumably Instagram could change their private key and rollout a new client version on each platform, breaking all third party apps using the current key though. Although I guess it'd be just as easy to get it again.