Snooping on an iPhone apps API usage (aka light weight reverse engineering)
I don’t much like using sites that don’t offer APIs. (this is one of the reasons I don’t use Quora anymore, they’ve had plenty of time to offer an API in good faith)
But I do like playing with new sites and that means playing with sites that haven’t opened up an API, yet. It’s funny I keep getting into conversations with folks about, “We’re not sure how to open an API” or “We’ve got an API, but we think we need to rebuild it (and/or outsource maintenance of it to a 3rd party) before we make it public.” For those folks, please see flamework-api, an implementation of the Flickr “API framework” for how easy it can be, and then get over your timidity! But my favorite variant on this is, “Well we have an API for the iPhone app, but it isn’t ready yet for public.” Because that means there is an API, and you can use it.
Some quick notes on reverse engineering an API from an iPhone (mostly because I had to scrape all this back out of my lizard brain this week, and while it’s straightforward, there are a few step)
- Grab a proxy, I use Charles, but Burp works just as well and is free.
- On a wifi network, fire up the proxy and enable SSL proxying.
- Connect to a secure site with a browser via the proxy. (Charles will setup proxying for Firefox automatically)
- Using Firefox, drill into Page Info > Security > View Certificate > Details and export the CA certificate, which will be the intermediate proxy’s root cert. (e.g. with Charles it will be CharlesProxySSLProxying.cer) (YMMV with different proxies, and different browsers)
- Upload the root cert somewhere you can hit with mobile Safari from your phone
- Browse there with your phone, and add the cert.
- Throw your phone into “Airplane Mode”, re-enable wifi, connect to the same network your proxy is running on, in the “Choose a Network” menu, drill down and setup Manual proxying pointing at your laptops IP address, and port 8888 if you’re running Charles or 8080 if you’re running Burp (or whatever else your proxy is running at)
- Fire up the iPhone app with the API you’re interested in, and sit back and watch the bits flow.
(Reading over this again this morning I noticed I just assumed SSL, my data points suggest that’s a reasonable assumption both as SSL is easy, and as FBOAuth becomes more common, but obviously if the API you’re looking at isn’t running over SSL, skip steps 2-7.)