For a few months, Kik has been rolling out changes to the login and sign up systems to add new security measures and protections.

To enforce this, they methodically disabled old versions and ultimately disabled the old method of registering, and as of 9/9/24, going through the new system is required.

The new security systems are designed to block bots, spam, mods, or anything that isn't an official device running the official app from proceeding.

Since it was introduced a few months ago I have been analyzing the app and working on ways to enable Blue Kik to continue.

As of 9/10/24, Blue Kik is capable of logging in and signing up as normal, and is the only app that is able to do so.

In many cases, where registration is blocked on the Play Store version, Blue Kik will work.

Please see the below items for information about rules in related to the service.

To make the service available to all users, please respect the following rules:

• Do not spam the service.
• Once you create an account or sign into an account, stay logged in for at 1-2 days. Not doing so may cause rate limits to be hit.
• When logging in, please make sure that the username and password is valid. If it isn't, reset it here.

Captchas were added by me to protect my resources from bad actors and allow as many real (human) users to get in as possible.

Without such protections, people will attempt to script your app with which causes a wrongful allocation of resources (lesson learned the hard way).

This makes it much harder to do so, as anyone smart enough to do this should be smart enough to beat the protection on their own.

If you have trouble solving it, close the window by using the 'back' key and try again.

The new methods require occasional adjustments. To be able to accomplish this, it requires specialized setups, servers, etc which cost money to operate.

To allow as many users to be able to access the app as possible, some rate limiting must be introduced.

Without such protections, spammers attempt to abuse your service via automation or other means and they will ruin it for everyone else if left unchecked. Therefore, it is necessary. I am always looking at ways to make it as unobtrusive as possible and improve this.

Try the following:

• Log in on a genuine Android device rather than an emulator
• Avoid using cloner or dual space apps
• Disable your VPN temporarily (you can turn it back on after logging in)

No. The service was designed with privacy in mind, so the username / email / password / birthday / display name is never sent to the server and therefore no decisions can be based on it.

Sometimes, as necessary, the app will route some traffic through my servers to complete the request. This is only done as a means to make it work properly and to anonymize you.

All such connections are end to end encrypted with certificate pinning protection to prevent snooping by me or anyone else.

Overall, I think it will cost MediaLab more revenue than it brings in, because the system routinely flags genuine users and denies access, and since the security mechanisms are "Black Box" implementations, Kik does not know why it fails and cannot help.

The most interesting question is, will this stop spam bots from getting into DMs and joining public groups?

I personally believe that in the short term it will stop spam, but in time I do believe spammers will find ways around it like I did, as any security system is beatable with time.

Look at Ricochet Anti-Cheat as an example. Really smart people built it but it is routinely broken and overall fails to stop cheating in Call Of Duty.

Edit: to prove my point, Ricochet was recently exploited by hackers to ban other players, including well-known streamers.

This error occurs on the unmodified versions of Kik (from Play/App store)

Here are a list of reasons you can get this error:

• Your IP address is banned or rate limited by Kik (limits are ~3 registrations per IP per 24 hours, ~10 logins per 24 hours)
• Your device is banned (by Android ID)
• Your device is rooted (unlocked bootloader) or an emulator


• Your device gets a bad risk score, which Kik then uses to block you as suspected spam
  Side note, MediaLab seems to be breaking Google's TOS (section b) by not informing users that this is in use.

These errors can be fixed with Blue Kik, download now.

It doesn't work

Google repeatedly makes claims that their reCAPTCHA service is "Easy on humans, hard on bots", but simple research shows the opposite is true and it is not a valid means of securing applications against bots and automated attacks.

Over the years, security researchers have publicly documented their findings and proved that attacks against it can be automated successfully, with even higher success rates than humans can achieve.

All of this can be easily found online:

• https://arxiv.org/pdf/1903.01003
• https://regmedia.co.uk/2019/08/29/recaptchapaper.pdf
• https://datadome.co/guides/captcha/recaptchav2-recaptchav3-efficient-bot-protection/ ignore DataDome's advertisements in the article, there are public tools available to bypass their service as well)

Under the hood, Recaptcha Mobile is similar to Recaptcha V3 (which is invisible), but collects lots of device data and telemetry specific to mobile devices, as well as network data.

In some cases, your GSF ID is collected, which can then be used by Google to know what Google accounts are signed in on the device.

Google then aggregates these signals to produce a risk score from 0.0 (likely bot) to 1.0 (likely human). Google recommends blocking anything lower than 0.5 to start with, and that is the approach that Kik takes. However, it is common for humans to score below 0.5, causing complaints and lost users. Some websites counter this by lowering the minimum score to 0.3 or even 0.1, or falling back to a visual CAPTCHA if the score is too low, but this can allow more bots as well.

This does not work, and the end result is that humans get blocked and don't understand how to fix it, while bots quickly learn from their mistakes via machine learning or other sophisticated algorithms, enabling them to proceed undetected.

These are the facts that Google doesn't want to talk about, but have very much been present for years.

Their presentation of their product fools many companies into believing it will protect their business, when it does not.

A sophisticated or highly motivated attacker will not be stopped, but in many cases, your real customers will be.

There has never been a CAPTCHA that is unbeatable.

Unfair Competition

To attempt to increase security, Google engages in unfair and monopolistic competition practices in multiple ways:

• Analyzing your Google accounts which contain lots of data. No one else can do this.


• Dynamically loading and executing bytecode through DroidGuard¹, a proprietary VM inside a hidden APK that is quietly updated on your phone every 1-2 weeks. If you attempt to make a captcha solution that does this and submit it to the Play Store, your app will be banned, as Google doesn't allow dynamic code loading. But they make an exception for their own solution because they believe they are better than you.
  reCAPTCHA is allowed to call certain functions in DroidGuard that are unusable for every other developer.


• Abusing GMS Core (Android). GMS core, otherwise known as Google Play Services, is pre-installed on almost all Android phones and has a much higher privilege level than any user app. It has access to broad permissions and runs in a seperate process, which is something that no other app developer can do if they want to compete with Google. It is also allowed to download and run code from the internet without notifying you, and silently install updates, which as mentioned earlier, Google has banned for everyone else except themselves.

¹ The paper mentions SafetyNet which is now deprecated, but this is still used for Play Integrity protection.