Hacker News new | past | comments | ask | show | jobs | submit login

This is awesome work and thank you for doing this for public without asking.

P.S. does the transit authority offer an API or is this prone to breaking when they change their page layout?

[edit: I just read about the rumor on your webpage. Clarifies.]




Thank you!

As many other transit authorities, the STM [0] offers "GTFS" data (a standard feed format for transit info) [1].

Mucking around STM's public site, you'll also see the schedule information go by if you inspect the network requests. From what I've seen, their API endpoints are stable, reliable and fast. I've had to do ~2 updates in >1 year of service.

[0] http://stm.info/en [1] http://www.stm.info/en/about/developers

[ edit: that rumor is just a rumor :-) ]


If you use MITMProxy or Charles you can easily intercept the traffic on 99% of all iPhone/Android apps (bit harder if pinned-sertificate). These API’s are often stable because a lot of users don’t update their apps that often.


For newer android apps this is no longer true. By default, apps only trust system CA's. User added System CA's are not trusted by apps. I believe only the browser uses the user added CA's.


That is why these systems generate their own certificate that you add to your phone, so you still can see the traffic.

For MITMProxy you can visit http://mimt.it when the setup is running.

A bit more difficult with “pinned-setificate” where you have to:

1) Decompile the app (easy if you search for the online APK-download and APK-decompile tools)

2) Move the certificate out of the APK and use it for the traffic between MITMProxy/Charles and the server

3) Replace the certificate in the APK with one generated for MITMProxy/Charles, or just delete it if that works for the app (most likely not)

4) Re-compile the APK and install on your device

5) Run MITMProxy/Charles as before, just with some parameters to load the “pinned-certificate”

(There is also a lot of guides for this. Maybe not for pinned-certificate.)


1) decompile 2) remove the line that does the pinning (Easy to find) 3) recompile and sign

5 minutes


It can be crazier than that. App makers who work with important APIs often pin to specific certificates (not signers) so we have an one final absolute emergency measure to kill a version and force an upgrade when we have to.


That is what I refer to as pinned-certificate. Not often used except from some of the biggest companies like Facebook and Snapchat. See my answer on how to go around this.


Your answer sure wouldn't work for my tiny startup's app's pinning and we followed a guide initially.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: