hello…

through some testing and special tools (not going to say, you’ll figure it out if you know what you’re doing), i’ve found the following API endpoints for logging in, modifying your iFunny account, and taking actions…

please keep in mind i have not explored all of the app while looking at the traffic, so not all actions have been listed (yet).

have fun!

Endpoints

Host: api.ifunny.mobi

Headers Used:
Authorization: Bearer <OAuth2 token>
iFunny-Project-Id: iFunny
User-Agent: iFunny/7.22.1(1129868) Android/<OSVer> (<DeviceMaker>; <DeviceModel>; <DeviceMaker>)

  • [GET] /v4/feeds/featured (BasicAuth Required)
    • Description: Retrieves the Featured feed
      • Parameter: limit=<int>
        • Seems to limit the amount of featured you get per request, this was set to 30 when I had dug in. Manually changing this does nothing it appears.
      • is_new=<bool>
        • Unsure of what this is used for, features are always at 999+ but I always see new ones? Idk. Set to False when I saw it.
  • [GET] /v4/feeds/project_elements (BasicAuth Required)
    • Description: Retrieves comments from said post.
      • Parameter: limit=<int>
        • Set to 50 when I had seen the request made,
  • [GET] /v4/app/settings (BasicAuth Required)
    • Description: Appears to retrieve information about the settings configured – but not just user settings. There appears to also be ad-related settings here such as if comment-placed ads are to show.
      • No parameters.
  • [GET] /v4/clients/me (BasicAuth Required)
    • Description: Unsure, the only response is {“status”:200}
  • [PUT] /v4/clients/my/timezone (BasicAuth Required)
    • Description: Unsure, only response is {“status”:200}
      • Parameter: timezone
        • This was set to JST when the request was made on my end.
  • [PUT] /v4/issues/next_issue_time (BasicAuth Required)
    • Description: Unsure…?
      • No parameters.
  • [GET] /v4/users/my/unread_chat_messages (BasicAuth Required)
    • Description: Seems to just provide a count of unread messages, most likely for the in-app chat counter.
      • No parameters.
  • [GET] /v4/users/nicks_available (BasicAuth Required)
    • Description: Checks if a username is available when registering. Returns data.available as boolean if username is open or not.
      • Parameter: nick
        • The username that should be checked as to if it is available for use or not.
  • [GET] /v4/users/emails_available (BasicAuth Required)
    • Description: Same as Nicks Available but checks to see if the email was registered instead.
      • Parameter: email
        • The email to search for if its in use or not.
  • [POST] /v4/oauth2/token (BasicAuth Required)
    • Description: Used to retrieve the Bearer Token in order to perform logged-in user actions like comments.
      • Parameter: grant_type
        • Set this to “password”. Unsure as to if other items will work or if this is required at all.
      • Parameter: username
        • Use the email, not the username here.
      • Parameter: password
        • User password.
  • [GET] /v4/account (BearerAuth Required)
    • Description: Retrieves the users account info who’s logged in. Includes days online and “safe mode” settings set.
      • No parameters.
  • [GET] /v4/app/privacy (BearerAuth Required)
    • Description: Retrieves if user is in any “privacy requirements” zones. Includes GDPR, CCPA, and LGPD(?). Will provide info as to if the user accepted or if the prompts should be shown.
      • No parameters required.

API Notes

CAPTCHA Prompts:

When performing some actions including registering, login, and other “higher risk” actions, you may receive a Status 403 response prompting you to complete a CAPTCHA:

{
“error”: “captcha_required”,
“error_description”: “Human verification is required”,
“data”: {
“captcha_url”: “https://api.ifunny.mobi/verify.php?id=<ID>&project=iFunny”,
“type”: “recaptcha”
},
“status”: 403
}

The CAPTCHA can be completed from any browser. When getting this response from the app, I completed it from another device and then re-sent the request. The request passed after that.

Analytics Logging

In my instance, I saw multiple requests for logs.ifunny.co and events.ifunny.co. These hosts can be blocked without issue as they’re returning information about your device and spying on what you’re doing (I love my Russian Spyware app!).

GeoIP/PrivacyPrompt checking

iFunny appears to use its own servers to check for GeoIP zones that may require CCPA/GDPR/etc. requests to be approved before continuing. These can be requested (from the looks of it) without authentication to https://geoip.ifunny.co and can return the source IP Country, as well as “if_gdpr_zone”/”if_ccpa_zone”/”if_lgpd_zone”.

Other oddities

In some responses from the server, the header “inst” was returned with the following data:
{“risk”:{“level”:1,”reason”:”DEFAULT”}}
Unsure as to what this does or what it’s for.

img.ifunny.co is used to retrieve the videos and images in your feed. imageproxy.ifunny.co appears to instead be used to modify these images, i.e. for profile photos.

iFunny Chat uses the chat.ifunny.co host, but all actions are done through a WebSocket. Currently trying to find out how this works (fun fact: never worked with websockets before)