Hi,

I want to reverse engineer api of an Android app to make a custom client that works on linux. I have good understanding of Linux, Networking and coding.

Where should I start? Is it too hard?

  • cm0002@lemmy.world
    link
    fedilink
    arrow-up
    36
    ·
    11 months ago

    First, if you don’t have a rootable Android phone, you need to get one. An API is an API for the most part, so any cheap throwaway phone will probably work as long as it is sufficient to run the app and rootable

    Basically: you need to MITM yourself (Or at least your phone), you’re going to need to generate a SSL certificate and install it to your phone and “pin” it (Basically, make your phone use it for everything, the end all be all certificate.) Then route your phones connection through a proxy that will capture the traffic and then decrypt it using the same cert. Don’t forget to do stuff on the target app, I would start it fresh to capture any authentication stuffs.

    There’s an app that can do it all on the device (save for the decryption and parsing, you have to export the capture and cert to a computer for that) called Draeneg iirc

  • vzq@lemmy.blahaj.zone
    link
    fedilink
    arrow-up
    19
    ·
    edit-2
    11 months ago

    You configure your traffic to get routed through a man in the middle proxy. If you get certificate errors you can’t ignore, you need to use something like Frida to remove the certificate checks/pinning.

    After that you look at the plaintext requests. Odds are that there is an authorization system you need to figure out. Again jadx/Frida is your friend.

  • Bronco1676
    cake
    link
    fedilink
    arrow-up
    8
    ·
    edit-2
    11 months ago

    Some relevant links to get you started:

    https://github.com/shroudedcode/apk-mitm

    https://github.com/emanuele-f/PCAPdroid

    https://docs.mitmproxy.org/stable/howto-install-system-trusted-ca-android/

    Edit:

    also very helpful tool is https://frida.re/

    And a little tutorial I’ve found to get you started with the android emulator: https://dev.to/ptisserand/mitmproxy-and-android-emulator-206b

    Note, that you can only get root on the images that don’t include google play store.

    It’s really not that hard, after you’ve done it once. The first time will include some head scratching and learning about some android gotchas. But after that it will be easy.

  • navigatron@beehaw.org
    link
    fedilink
    arrow-up
    8
    ·
    11 months ago

    It is not too hard and you can definitely do it! It’s like a puzzle - you will get stuck at times, but if you keep going then you’ll get there.

    APK files are just zip files, so you can unzip it to see its contents. From there, a java de-compiler get you a version of the source code. It will have random variable names and no comments, so it will take some digging to find and reverse the api layer.

    Or, who knows, you could get lucky and find an openapi spec file and auth.txt. Worse apps have been developed.

  • sbv@sh.itjust.works
    link
    fedilink
    English
    arrow-up
    7
    ·
    11 months ago

    If the app has a web counterpart, it’s easier to sniff and decode that with your browser’s dev tools.

    (I realize this isn’t what you asked, but dev tools tend to be great and you won’t need to jump through as many hoops)

    • CanadaPlus@lemmy.sdf.org
      link
      fedilink
      arrow-up
      7
      ·
      11 months ago

      Yeah, that’s where I’d start. I have no idea how easy it would be to make heads or tails of it. I guess best case it’s all plaintext JSON.

      • ∟⊔⊤∦∣≶@lemmy.nz
        link
        fedilink
        arrow-up
        2
        ·
        11 months ago

        Keep us updated! Looks like I was on the right track, everyone else recommends the same.

        Also, keep some screenshots and data you can assemble into a tutorial. You’ll likely end up using your own tutorial again at some point.

  • GissaMittJobb
    link
    fedilink
    arrow-up
    5
    ·
    11 months ago

    Mitmproxy should get you a long way, probably. That way, you’ll see what API calls the app makes with what parameters, and what the responses look like.