Oops. SSL was unnecessary in this example.

[web-hugo.git] / content / posts / reverse-engineering-a-mobile-app-protobuf-api.md

diff --git a/content/posts/reverse-engineering-a-mobile-app-protobuf-api.md b/content/posts/reverse-engineering-a-mobile-app-protobuf-api.md
index 3ef80ca478a52578102d2d443ab90bf4e09bcc4f..2fb1f5797a19068bb34b454cb0cd4926cc9f0ecd 100644 (file)
--- a/content/posts/reverse-engineering-a-mobile-app-protobuf-api.md
+++ b/content/posts/reverse-engineering-a-mobile-app-protobuf-api.md
@@ -98,7 +98,12 @@ certain global values.
 ## The smoke-test
 
 So we have a potential API endpoint, let's put it to the test. We're not going to recompile anything yet or do any byte-patching,
-let's try a quick smoke-test. Ensure your phone is rooted and you have a variant of Xposed Framework installed (I used LSPosed).
+let's try a quick smoke-test.
+
+**UPDATE 15/05/2024: It turns out this old app version uses HTTP only, instead of HTTPS. You will only need to perform the AdAway instruction here.
+As this information is still vastly useful for reverse engineering most apps, I will be leaving this section intact.**
+
+Ensure your phone is rooted and you have a variant of Xposed Framework installed (I used LSPosed).
 We will need to unarm the SSL pinning present in most apps, including this one, I used [io.github.tehcneko.sslunpinning](https://github.com/Xposed-Modules-Repo/io.github.tehcneko.sslunpinning) module.
 (NOTE: Users without root might want to skip to end of article where I showcase unpinning the app manually)