For a few months, Kik has been rolling out changes to the login and sign up systems to add new security measures and protections.
To enforce this, they methodically disabled old versions and ultimately disabled the old method of registering, and as of 9/9/24, going through the new system is required.
The new security systems are designed to block bots, spam, mods, or anything that isn't an official device running the official app from proceeding.
Since it was introduced a few months ago I have been analyzing the app and working on ways to enable Blue Kik to continue.
As of 9/10/24, Blue Kik is capable of logging in and signing up as normal, and is the only app that is able to do so.
In many cases, where registration is blocked on the Play Store version, Blue Kik will work.
Please see the below items for information about rules in related to the service.
To make the service available to all users, please respect the following rules:
Captchas were added by me to protect my resources from bad actors and allow as many real (human) users to get in as possible.
Without such protections, people will attempt to script your app with which causes a wrongful allocation of resources (lesson learned the hard way).
This makes it much harder to do so, as anyone smart enough to do this should be smart enough to beat the protection on their own.
If you have trouble solving it, close the window by using the 'back' key and try again.
The new methods require occasional adjustments. To be able to accomplish this, it requires specialized setups, servers, etc which cost money to operate.
To allow as many users to be able to access the app as possible, some rate limiting must be introduced.
Without such protections, spammers attempt to abuse your service via automation or other means and they will ruin it for everyone else if left unchecked. Therefore, it is necessary. I am always looking at ways to make it as unobtrusive as possible and improve this.
Try the following:
No. The service was designed with privacy in mind, so the username / email / password / birthday / display name is never sent to the server and therefore no decisions can be based on it.
Sometimes, as necessary, the app will route some traffic through my servers to complete the request. This is only done as a means to make it work properly and to anonymize you.
All such connections are end to end encrypted with certificate pinning protection to prevent snooping by me or anyone else.
Overall, I think it will cost MediaLab more revenue than it brings in, because the system routinely flags genuine users and denies access, and since the security mechanisms are "Black Box" implementations, Kik does not know why it fails and cannot help.
The most interesting question is, will this stop spam bots from getting into DMs and joining public groups?
I personally believe that in the short term it will stop spam, but in time I do believe spammers will find ways around it like I did, as any security system is beatable with time.
Look at Ricochet Anti-Cheat as an example. Really smart people built it but it is routinely broken and overall fails to stop cheating in Call Of Duty.
Edit: to prove my point, Ricochet was recently exploited by hackers to ban other players, including well-known streamers.
This error occurs on the unmodified versions of Kik (from Play/App store)
Here are a list of reasons you can get this error:
Google repeatedly makes claims that their reCAPTCHA service is "Easy on humans, hard on bots", but simple research shows the opposite is true and it is not a valid means of securing applications against bots and automated attacks.
Over the years, security researchers have publicly documented their findings and proved that attacks against it can be automated successfully, with even higher success rates than humans can achieve.
All of this can be easily found online:
Under the hood, Recaptcha Mobile is similar to Recaptcha V3 (which is invisible), but collects lots of device data and telemetry specific to mobile devices, as well as network data.
In some cases, your GSF ID is collected, which can then be used by Google to know what Google accounts are signed in on the device.
Google then aggregates these signals to produce a risk score from 0.0 (likely bot) to 1.0 (likely human). Google recommends blocking anything lower than 0.5 to start with, and that is the approach that Kik takes. However, it is common for humans to score below 0.5, causing complaints and lost users. Some websites counter this by lowering the minimum score to 0.3 or even 0.1, or falling back to a visual CAPTCHA if the score is too low, but this can allow more bots as well.
This does not work, and the end result is that humans get blocked and don't understand how to fix it, while bots quickly learn from their mistakes via machine learning or other sophisticated algorithms, enabling them to proceed undetected.
These are the facts that Google doesn't want to talk about, but have very much been present for years.
Their presentation of their product fools many companies into believing it will protect their business, when it does not.
A sophisticated or highly motivated attacker will not be stopped, but in many cases, your real customers will be.
There has never been a CAPTCHA that is unbeatable.
To attempt to increase security, Google engages in unfair and monopolistic competition practices in multiple ways:
When diving deep into this system, you will find it collects some things that aren't disclosed on their webpage. These are some, but not all, examples: