Reverse Engineering Undocumented APIs with mitmproxy
mitmproxy (https://mitmproxy.org/) is a popular tool for observing HTTP(S) traffic between client applications and their API services by acting as a "man in the middle". The resulting service calls and their payloads can then be extracted and used in other applications and scripts. It also enables savvy users to hold apps accountable for how they transmit a user's private data. Popular apps such as Snapchat have had their APIs reverse engineered in this way, enabling user behavior that is unexpected (and sometimes undesirable) for app publishers. Another example is the small but growing open source community focused on studying the Robinhood stock brokerage app and its undocumented API that, as of this writing, remains open – enabling developers to experiment with $0 commission stock trading scripts.
This presentation will show how to set up mitmproxy on a workstation, connect a second device, and log otherwise secure HTTPS traffic – capturing the underlying API calls to understand the functioning of undocumented 3rd-party APIs. We will also explore what this means for API publishers, app developers, and users concerned about their digital security.
With a passion for the ways in which technologists build solutions for people, Chris helps APIvista's clients find strategic success with their digital initiatives.
Having worked in the IT industry for 20+ years, he recently helped launch the first public API platform for a North American bank and previously built a digital agency that provided API integration & data services for its Fortune 500 clients.