Hi,
I want to reverse engineer api of an Android app to make a custom client that works on linux. I have good understanding of Linux, Networking and coding.
Where should I start? Is it too hard?
First, if you don’t have a rootable Android phone, you need to get one. An API is an API for the most part, so any cheap throwaway phone will probably work as long as it is sufficient to run the app and rootable
Basically: you need to MITM yourself (Or at least your phone), you’re going to need to generate a SSL certificate and install it to your phone and “pin” it (Basically, make your phone use it for everything, the end all be all certificate.) Then route your phones connection through a proxy that will capture the traffic and then decrypt it using the same cert. Don’t forget to do stuff on the target app, I would start it fresh to capture any authentication stuffs.
There’s an app that can do it all on the device (save for the decryption and parsing, you have to export the capture and cert to a computer for that) called Draeneg iirc
It is not too hard and you can definitely do it! It’s like a puzzle - you will get stuck at times, but if you keep going then you’ll get there.
APK files are just zip files, so you can unzip it to see its contents. From there, a java de-compiler get you a version of the source code. It will have random variable names and no comments, so it will take some digging to find and reverse the api layer.
Or, who knows, you could get lucky and find an openapi spec file and auth.txt. Worse apps have been developed.
Some relevant links to get you started:
https://github.com/shroudedcode/apk-mitm
https://github.com/emanuele-f/PCAPdroid
https://docs.mitmproxy.org/stable/howto-install-system-trusted-ca-android/
Edit:
also very helpful tool is https://frida.re/
And a little tutorial I’ve found to get you started with the android emulator: https://dev.to/ptisserand/mitmproxy-and-android-emulator-206b
Note, that you can only get root on the images that don’t include google play store.
It’s really not that hard, after you’ve done it once. The first time will include some head scratching and learning about some android gotchas. But after that it will be easy.
Those are some pretty great links. Thanks for sharing them.
If the app has a web counterpart, it’s easier to sniff and decode that with your browser’s dev tools.
(I realize this isn’t what you asked, but dev tools tend to be great and you won’t need to jump through as many hoops)
Interested to hear answers for this one… maybe MITM yourself and capture packets to see whats being sent?
Yeah, that’s where I’d start. I have no idea how easy it would be to make heads or tails of it. I guess best case it’s all plaintext JSON.
Keep us updated! Looks like I was on the right track, everyone else recommends the same.
Also, keep some screenshots and data you can assemble into a tutorial. You’ll likely end up using your own tutorial again at some point.
Mitmproxy should get you a long way, probably. That way, you’ll see what API calls the app makes with what parameters, and what the responses look like.
deleted by creator