I started reading medium after a quite long break and the first thing I noticed is that almost all the stories in my feed are behind the $5/month paywall. It is not that expensive, but still not the person who would go for it without checking any alternatives. There was a time when you could open the app, read till you become tired and then you refresh to get a fresh new feed of free stories. That time is gone for good now as the writers are getting paid for engagements in pay walled stories and everyone is opting for it.

The stealthy way

Medium is not that much into restricting you from member stories. You can read up to 3 paywalled stories per month for free. And the bonus is that you don’t need to have an account for that. Every time you want to read a story, copy the link into a new incognito tab and you’re in.

The downside is that their suggestion algorithm treating you as a newbie always.

The Twitter way

Next little hole in the paywall is for Twitter users. When you come from Twitter through a direct story link, Medium allows you to read the story regardless of anything. This is an intentional hole punched by medium itself to allow their writers to easily share in Twitter. Paste the link into Twitter DM or tweet, click and come from there.

Now though the second method is better, both needs couple of clicks for reading each story which can be annoying for regular use.

The seamless way

Automating the Twitter route would make the reading life much simpler. I went on to mod the medium android app for spoofing Twitter redirect. Everything works super smooth and I’m treated like a paid user. Here goes the brief on steps.

First step would be to identify how the medium backend detects the requests that are coming via Twitter. All it cares about is the referer header (as expected) in the HTTP requests. This is verified using setting up a HTTPS (self signed SSL) proxy. The proxy adds a referer header with a twitter URL in all the requests passing through it. This is achieved using Burp Suite. Now we know that the key to unlock paywall stories is having referer: https://t.co/random in header.

Next is to find a suitable point in apk code to inject the needle. After hours of analysing scrambled and reconstructed Java code, found two functions in the HTTP library (okhttp3) to infiltrate. One is RequestBuilder.build() which is called each time a new HTTP request is built. Second one is HeadersBuilder.add() which can be used to add one extra header. Generated Java code cannot be built back into apk. Thus new code has to be added in smali which is assembler code for Dalvik and ART (JVM used by Android). After messing up with JVM registers and adb log sessions, got the code that works. Gist link.

Finally faced few hurdles with signing the apk. Medium used split apks so that all the functionality is in the base apk and device specific resources are in a seperate apk. Jarsigner didn't work for some reason as they use aapt2. Apksigner saved the day.

Happy reverse engineering.