Welcome Guest ( Log In | Register )

Outline · [ Standard ] · Linear+

> is there a way to monitor what API a mobile app is, calling?

views
     
TS15cm P
post May 8 2022, 05:11 PM, updated 3w ago

New Member
*
Probation
22 posts

Joined: Apr 2022
on desktop we just click F12 and go to the network tab

but on mobile apps? I want to spy on what api endpoint they are calling .

user posted image
silverhawk
post May 9 2022, 12:58 AM

I'm Positively Lustrous
Group Icon
Elite
4,414 posts

Joined: Jan 2003


There are apps like these:

https://play.google.com/store/apps/details?...tor&hl=en&gl=US
arturo_bandini
post May 9 2022, 03:08 PM

Getting Started
**
Junior Member
129 posts

Joined: Aug 2005


QUOTE(15cm @ May 8 2022, 05:11 PM)
on desktop we just click F12 and go to the network tab

but on mobile apps? I want to spy on what api endpoint they are calling .

user posted image
*
burp suite (paid) or zed application proxy (free).

however, nowadays there are "protections" that mobile apps can use to prevent others from studying their traffic. for better or for worse, attackers also created countermeasures to these protections: frida, etc.

guides / tutorials are plenty on the net. if it's not just for fun, you should probably hire a professional to help you. or get proper (paid) training on using those tools i mentioned.

iammyself
post May 9 2022, 08:58 PM

Getting Started
**
Junior Member
210 posts

Joined: May 2011
Here's another idea but I don't remember the exact implementation.

I used my laptop as a proxy for my Android phone. On the laptop I run Wire Shark to monitor the network activity. This exposes the API endpoints and other nasty stuff.

At least that's why I remember it anyway.
TS15cm P
post May 9 2022, 09:26 PM

New Member
*
Probation
22 posts

Joined: Apr 2022
QUOTE(silverhawk @ May 9 2022, 12:58 AM)
There are apps like these:


*
for some reason it isnt working lol

it pops a message on first launch saying it doesnt work after android 10 something something.

anyway i give up

i wanted to scrap a mobile app by knowing what API it uses, since its web version uses server side rendering and put all the data into an image. i'll just use ML to reverse engineer the image back into data.
flashang
post May 10 2022, 12:09 PM

Getting Started
**
Junior Member
117 posts

Joined: Aug 2021


QUOTE(arturo_bandini @ May 9 2022, 03:08 PM)
burp suite (paid) or zed application proxy (free).

however, nowadays there are "protections" that mobile apps can use to prevent others from studying their traffic. for better or for worse, attackers also created countermeasures to these protections: frida, etc.

guides / tutorials are plenty on the net. if it's not just for fun, you should probably hire a professional to help you. or get proper (paid) training on using those tools i mentioned.
*
You may need to read the T&C before doing this.
Testing / Finding backdoor of a product without proper invitation / authorized may have legal issue.

https://github.com/venomous0x/WhatsAPI


TS15cm P
post May 10 2022, 06:36 PM

New Member
*
Probation
22 posts

Joined: Apr 2022
QUOTE(flashang @ May 10 2022, 12:09 PM)
You may need to read the T&C before doing this.
Testing / Finding backdoor of a product without proper invitation / authorized may have legal issue.


*
if i understand this correctly, he did what i am trying to do , intercepted the whatsapp api and is trying to create his own whatsapp app with the api ?

what a chad laugh.gif laugh.gif laugh.gif
FlierMate
post May 10 2022, 08:59 PM

Casual
***
Validating
483 posts

Joined: Nov 2020
QUOTE(15cm @ May 10 2022, 06:36 PM)
if i understand this correctly, he did what i am trying to do , intercepted the whatsapp api and is trying to create his own whatsapp app with the api ?

*
If I use WhatsApp for Web, press F12 and go to Network tab, how do I know the API being called?

Perhaps you can teach me... icon_question.gif

user posted image
TS15cm P
post May 10 2022, 09:18 PM

New Member
*
Probation
22 posts

Joined: Apr 2022
QUOTE(FlierMate @ May 10 2022, 08:59 PM)
If I use WhatsApp for Web, press F12 and go to Network tab, how do I know the API being called?

Perhaps you can teach me...  icon_question.gif

user posted image
*
since this is similar to a chat room , i belive its websocket type
TS15cm P
post May 10 2022, 09:20 PM

New Member
*
Probation
22 posts

Joined: Apr 2022
QUOTE(FlierMate @ May 10 2022, 08:59 PM)
If I use WhatsApp for Web, press F12 and go to Network tab, how do I know the API being called?

Perhaps you can teach me...  icon_question.gif

user posted image
*
found it


user posted image
xHj09
post May 14 2022, 05:25 AM

Your Friendly Neighborhood
******
Senior Member
1,187 posts

Joined: Apr 2010


fiddler? charles?

 

Change to:
| Lo-Fi Version
0.0191sec    0.26    5 queries    GZIP Disabled
Time is now: 27th May 2022 - 08:45 PM