Which program's do you use?

[SolidRhino]

Which program's do you use to reverse engineer the API?

[ThijsRay]

I install a fresh copy of the Podimo Android app and perform a man-in-the-middle attack to capture all the traffic that is generated by the app. Reversing the API becomes much easier once you know what traffic is being sent and received.

I have used

• apk-mitm to enable the app to accept my self-signed certificate
• frida-android-unpinning (basically the same as the above but without having to patch the app itself)
• mitmproxy to capture and decrypt the traffic
• PCAPdroid to send the Podimo app traffic to the mitmproxy

[JoepdeJong]

You could also use Postman to capture HTTP requests with a proxy. This works also on iOS.