How did you figure out the API endpoints used by this app?

[jimzor]

Hi!

Really cewl and hany tool! I'm wondering how did you figure out the API endpoints used by this app.

I would like to build something similar for a different kind of app, but don't know API endpoints it uses. I tried to figure that out with proxying all the http requests of my phone but that didn't work out.

Really looking forward to know how you did it.

Cheers

[Der-Henning]

Hi @jimzor In this case I didn't do the work myself. Credits to https://github.com/ahivert/tgtg-python But in other cases I used the open source tool dex2jar. It converts the .dex file found in the apps .apk file. Now you can open the .jar it in your favorite IDE and search for API endpoint. (Look for strings starting with httpetc.) Reverse engineering the correct syntax for POST endpoints is challenging though. I suggest you try to find someone who already did the work :) Theoretically you can use proxies or wireshark to read the send data, but that will only work without encryption. But an API without SSL encryption shouldn't exist in production. I hope that helps.

[NitriKx]

I've managed to capture the trafic, but it's not very easy: modern mobile app are implementing SSL pinning.

Basically developers hardcode a list of "trusted" certificates in the app HTTPS clients, and ignore the one provided by the Android operating system. This obviously blocks SSL trafic decryption from a proxy app like Burp, even if you add the Burp cert to the OS whitelist.

This protection could be removed "on the fly", by patching the Android app with a tool like frida and inject the Burp SSL certificate in the app TrustStore (example of script). Then you will be able to decrypt the SSL trafic and get a log of the app HTTP(S) requests.

[jimzor]

Thanks for the great explanations! looks really interesting and will look into it for sure!

[Der-Henning]

Closing due to inactivity.