From: Joann Mõndresku Date: Wed, 15 May 2024 19:56:05 +0000 (+0300) Subject: Oops. SSL was unnecessary in this example. X-Git-Url: https://git.based.quest/%7B%7B?a=commitdiff_plain;h=37ff2de80097ee6ceed3ac5bd14651dde5e46726;p=web-hugo.git Oops. SSL was unnecessary in this example. --- diff --git a/content/posts/reverse-engineering-a-mobile-app-protobuf-api.md b/content/posts/reverse-engineering-a-mobile-app-protobuf-api.md index 3ef80ca..2fb1f57 100644 --- a/content/posts/reverse-engineering-a-mobile-app-protobuf-api.md +++ b/content/posts/reverse-engineering-a-mobile-app-protobuf-api.md @@ -98,7 +98,12 @@ certain global values. ## The smoke-test So we have a potential API endpoint, let's put it to the test. We're not going to recompile anything yet or do any byte-patching, -let's try a quick smoke-test. Ensure your phone is rooted and you have a variant of Xposed Framework installed (I used LSPosed). +let's try a quick smoke-test. + +**UPDATE 15/05/2024: It turns out this old app version uses HTTP only, instead of HTTPS. You will only need to perform the AdAway instruction here. +As this information is still vastly useful for reverse engineering most apps, I will be leaving this section intact.** + +Ensure your phone is rooted and you have a variant of Xposed Framework installed (I used LSPosed). We will need to unarm the SSL pinning present in most apps, including this one, I used [io.github.tehcneko.sslunpinning](https://github.com/Xposed-Modules-Repo/io.github.tehcneko.sslunpinning) module. (NOTE: Users without root might want to skip to end of article where I showcase unpinning the app manually)