I’ve had this come up a few times when doing API snooping, and what I’ve done is... | Hacker News

Hacker News new | past | comments | ask | show | jobs | submit

login

itzael on May 20, 2020 | parent | context | favorite | on: Unofficial APIs

I’ve had this come up a few times when doing API snooping, and what I’ve done is decompiling the Android version (if available) of their app using jadx [1]. You get pretty legible Java, sometimes with Kotlin artifacts, sometimes with obfuscation, but in combination with some MITM snooping you can see how auth/headers/hashes are done. Sometimes you even find internal API endpoints with a security issue or two.

[1]: https://github.com/skylot/jadx

dhruvkar on May 21, 2020 [–]

Thanks!

I've used jadx once before to decompile a steamship line app, but it was just curiosity with no end goal in mind. Didn't try it with the chipotle app.

Next project!

Consider applying for YC's Spring batch! Applications are open till Feb 11.
Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact