Yahks/facebook-api-research

# facebook-api-research Documenting Facebook's private API and Android app behaviour discovered through reverse engineering. This is the research behind FBPostX. Updated as I find new things. ## Why This Exists Facebook's algorithm decides who sees your content. Most small businesses and ordinary people have no idea how it works. This research exists to change that. ## Tools Used - **Selenium** — browser automation and behaviour observation - **Burp Suite** — intercepting HTTPS traffic - **jadx** — decompiling the Facebook Android APK - **Android Debug Bridge (adb)** — device communication - **Python** — scripting and testing - **Frida** — runtime hooks on Android ## Findings ### Authentication | Endpoint | Method | Description | |---|---|---| | `/login/device-based/regular/login/` | POST | Main web login | | `/checkpoint/` | GET | Security checkpoint handler | | `/2fac/` | POST | Two factor authentication | ### Groups | Endpoint | Method | Description | |---|---|---| | `/groups/feed/` | GET | Group feed content | | `/groups/{group_id}/` | GET | Specific group data | | `/api/graphql/` | POST | GraphQL — most Facebook data flows here | ### Posting | Endpoint | Method | Description | |---|---|---| | `/api/graphql/` | POST | Create post via GraphQL | | `/groups/{group_id}/permalink/` | POST | Post to specific group | *More endpoints being added as research continues.* ## Key Discovery — GraphQL Almost everything on Facebook runs through one endpoint: POST https://www.facebook.com/api/graphql/ The difference between actions is the `doc_id` or `fb_api_caller_class` parameter passed in the request body. This is what FBPostX exploits to automate group posting. ## Methodology 1. Set up Android emulator with Facebook installed 2. Route traffic through Burp Suite proxy 3. Observe requests during normal Facebook use 4. Decompile APK with jadx to understand request structure 5. Reproduce behaviour with Selenium and Python 6. Document findings here ## Status - [x] Login flow mapped - [x] Group posting behaviour documented - [x] GraphQL endpoint identified - [ ] Marketplace API — in progress - [ ] Events API — not started - [ ] Ads system internals — not started - [ ] Messenger API — not started ## Related - [FBPostX](https://github.com/Yahks/FBPostX) — the tool built from this research ## Disclaimer This research is for educational purposes only. All findings are from passive observation and decompilation. No Facebook systems were harmed or exploited.