this post was submitted on 31 Dec 2023
55 points (95.1% liked)

Asklemmy

43916 readers
1232 users here now

A loosely moderated place to ask open-ended questions

Search asklemmy πŸ”

If your post meets the following criteria, it's welcome here!

  1. Open-ended question
  2. Not offensive: at this point, we do not have the bandwidth to moderate overtly political discussions. Assume best intent and be excellent to each other.
  3. Not regarding using or support for Lemmy: context, see the list of support communities and tools for finding communities below
  4. Not ad nauseam inducing: please make sure it is a question that would be new to most members
  5. An actual topic of discussion

Looking for support?

Looking for a community?

~Icon~ ~by~ ~@Double_A@discuss.tchncs.de~

founded 5 years ago
MODERATORS
 

Hi,

I want to reverse engineer api of an Android app to make a custom client that works on linux. I have good understanding of Linux, Networking and coding.

Where should I start? Is it too hard?

all 11 comments
sorted by: hot top controversial new old
[–] cm0002@lemmy.world 36 points 10 months ago

First, if you don't have a rootable Android phone, you need to get one. An API is an API for the most part, so any cheap throwaway phone will probably work as long as it is sufficient to run the app and rootable

Basically: you need to MITM yourself (Or at least your phone), you're going to need to generate a SSL certificate and install it to your phone and "pin" it (Basically, make your phone use it for everything, the end all be all certificate.) Then route your phones connection through a proxy that will capture the traffic and then decrypt it using the same cert. Don't forget to do stuff on the target app, I would start it fresh to capture any authentication stuffs.

There's an app that can do it all on the device (save for the decryption and parsing, you have to export the capture and cert to a computer for that) called Draeneg iirc

[–] vzq@lemmy.blahaj.zone 19 points 10 months ago* (last edited 10 months ago)

You configure your traffic to get routed through a man in the middle proxy. If you get certificate errors you can’t ignore, you need to use something like Frida to remove the certificate checks/pinning.

After that you look at the plaintext requests. Odds are that there is an authorization system you need to figure out. Again jadx/Frida is your friend.

[–] navigatron@beehaw.org 8 points 10 months ago

It is not too hard and you can definitely do it! It’s like a puzzle - you will get stuck at times, but if you keep going then you’ll get there.

APK files are just zip files, so you can unzip it to see its contents. From there, a java de-compiler get you a version of the source code. It will have random variable names and no comments, so it will take some digging to find and reverse the api layer.

Or, who knows, you could get lucky and find an openapi spec file and auth.txt. Worse apps have been developed.

[–] Bronco1676@lemmy.ml 8 points 10 months ago* (last edited 10 months ago) (1 children)

Some relevant links to get you started:

https://github.com/shroudedcode/apk-mitm

https://github.com/emanuele-f/PCAPdroid

https://docs.mitmproxy.org/stable/howto-install-system-trusted-ca-android/

Edit:

also very helpful tool is https://frida.re/

And a little tutorial I've found to get you started with the android emulator: https://dev.to/ptisserand/mitmproxy-and-android-emulator-206b

Note, that you can only get root on the images that don't include google play store.

It's really not that hard, after you've done it once. The first time will include some head scratching and learning about some android gotchas. But after that it will be easy.

[–] sbv@sh.itjust.works 2 points 10 months ago

Those are some pretty great links. Thanks for sharing them.

[–] sbv@sh.itjust.works 7 points 10 months ago

If the app has a web counterpart, it's easier to sniff and decode that with your browser's dev tools.

(I realize this isn't what you asked, but dev tools tend to be great and you won't need to jump through as many hoops)

[–] luthis@lemmy.nz 6 points 10 months ago (1 children)

Interested to hear answers for this one.. maybe MITM yourself and capture packets to see whats being sent?

[–] CanadaPlus@lemmy.sdf.org 7 points 10 months ago (1 children)

Yeah, that's where I'd start. I have no idea how easy it would be to make heads or tails of it. I guess best case it's all plaintext JSON.

[–] luthis@lemmy.nz 2 points 10 months ago

Keep us updated! Looks like I was on the right track, everyone else recommends the same.

Also, keep some screenshots and data you can assemble into a tutorial. You'll likely end up using your own tutorial again at some point.

[–] GissaMittJobb@lemmy.ml 5 points 10 months ago

Mitmproxy should get you a long way, probably. That way, you'll see what API calls the app makes with what parameters, and what the responses look like.