How do I check the private API of a smartphone application?

Asked 2 years ago, Updated 2 years ago, 89 views

I am curious about the following questions.

Using the smartphone app from the web server

While searching for pla-pura, I found a service that allows me to list items on the mobile frima app (Mercari) from the web (it's called Melpon).Mercari can only be listed from the smartphone application and not from the web.How does this service operate the smartphone application?
Do you have any tools for that?

In this question, you would like to know how Mercari's server, which can only be communicated from a smartphone, is used by a server prepared by a third party, but Mercari probably uses the server API to communicate with the server.

But how do third parties acquire and use the API?

ios android network

2022-09-30 20:11

1 Answers

API research is possible by sending communication from your smartphone through your own proxy server.

A proxy server is a server that acts as a proxy for communication. It acts like a person who gets into the middle of a message game
In the message game, the person in the middle can secretly write down the words in a memo, convey them as they are, and tamper with them, just like that
In the same way, the proxy server can log requests received from smartphones, keep them as they are, and tamper with them
You can tell the server

Key role of proxy server

  • Record communications to see what they are doing (for debugging purposes)

Introduction to mitmproxy for mobile app developers
When I'm developing a mobile app, I sometimes want to check the communication between the app and the server.For example, HTTP
You will need to check if the request has been sent or if the response from the server is incorrectly.
At such times, you can stop with a debugger, but you can easily see the communication by inserting a proxy.In addition, you can tamper with the response to test the app for crashes by deliberately making it a bad response, or to simulate server failures by blocking only certain requests.

  • Investigate and tamper with communication content (check security vulnerabilities).Cheat purpose)

How to intercept or falsify SSL communications on iOS devices by proxy
When communicating with the Web/API server via API in smartphone application development, users will not be able to see the communication if they use https, and users will be able to check and falsify the communication in the same way that they can use tools.
Therefore, if you do not design and implement apps or server APIs based on this assumption, app users will be able to falsify game score results, damage to raid bosses in social games, and purchase them on EC site apps.

How proxy servers tamper with data

  • Anonymous clients by representing communication with servers

What does anonymous communication "Tor" allow
Generally, when a client (user) makes a request to a Web server or the like, a client (user) does not need to put a third party in between, but directly passes the information of a transmission source to the other party for exchange.A proxy enters between the client and the server and requests the server on behalf of the client.In other words, the only access information left on the server side is from a proxy, and the server side does not receive information about the client it originally accesses.

  • Prevents clients from accessing specific URLs for filtering purposes

Filtering Content Using Proxy
Filtering URLs

You can use a URL file to set the content that the proxy server retrieves.Proxy always supports URLs
You can configure a list of and a list of URLs that the proxy does not support.

For example, if you are an Internet service provider running a proxy server that has content that is appropriate for your child, your child is authorized to view it. Configures a list of URLs.Then the authorized URL
You can configure the proxy server to import only .Client Unsupported URL
If you try to access the , either the proxy returns the default bForbidden メッセージ message, or the client returns the URL
You can create custom messages that indicate why you were unable to access the .

  • Accelerate response (for caching purposes)

Proxy Wikipedia
Fast Access
In the case of accessing an external web server and receiving data from inside an independent network such as the same provider's jurisdiction, data returned by the web server is temporarily stored in a proxy installed at a network entrance (the data in the proxy is called a cache).

This time, we will investigate and falsify the contents of communication as shown in the following article (check security vulnerabilities).Cheat purpose) The communication content survey in is considered to be true, and SSL communication was investigated using proxy

How to intercept or falsify SSL communications on iOS devices by proxy

Proxy information is detailed in Proxy Wikipedia.


2022-09-30 20:11

If you have any answers or tips


© 2024 OneMinuteCode. All rights reserved.