As you may have guessed, my name is Lance Newman. I’m a self admitted tech addict with a penchant for reverse engineering a whole host of APIs; some private and some public. There are three tools that are utterly indispensible to my work. I like to call them the three “C”s.
Charles: a desktop application that serves as a HTTP/HTTPS web proxy. It is available for both Windows and Mac and it provides an elegant user interface that is a terrific alternative to Wireshark. While Charles is running on your machine, all of the traffic that is being sent from your computer will appear in this program. If you have a tablet or a smartphone, just make sure that it’s connected to the same wifi network that your computer is and set your device’s proxy connection to the local IP address of your computer. Once that is done, all of your phone’s traffic will be sent to your computer and your computer will forward the requests accordingly. This is what’s referred to as a “Man-in-the-Middle” attack.
cURL: a unix command line tool that is powered by libcurl. It is used to transfer data with URL syntax. cURL supports a variety of different protocols. But, for the sake of my research, I’m only really interested in HTTP and HTTPS. In many regards, cURL is similar to wget; only it’s much more robust. cURL let’s you send POST variables to a given URL which is almost essential to reverse engineering any app nowadays. Once you’ve adequately sniffed out the requests that are sent to an app’s API, the next step is to mimic the rquests with cURL.
Crontab: a program that let’s you schedule certain scripts to run periodically at given times, dates or intervals. Although, this isn’t exactly vital to task of reverse engineer an API, it lets you automate the process of sending out requests so that they don’t have to be sent out manually. Once you’ve figured out how to send the requests correctly, it’s time install and configure a crontab so that they’re sent out on a routine basis.
Having spent an extensive amount of time reverse engineering a lot of different applications, I’ve been fortunate enough to gain some deep insight into the world of cyber security. From my experiences thus far, many apps have at least a modicum of software in place to detect abnormal activity. Usually, an API will limit the number of requests that it can accept on an hourly basis. Continuously reaching that limit automatically raises red flags.
But, very seldom does a devoted hacker give up so tirelessly. Most will purchase proxies that are dirt cheap (some even free) to disguise their requests so that the servers are tricked into thinking that the requests are coming from different places. This isn’t really a problem for public APIs since each user is given an API key and an API secret which are used to single out where the requests are coming from. But, with private APIs, it’s a much different scenario. Most hackers have a whole arsenal of different techniques that they can choose from to really inflict some damage. But, that’s a different subject entirely. The most effective way to combat spam and unauthorized access is to stop it before it happens. “Preventive security,” as I like to call it. Using TeleSign drastically reduces the amount of spam a given app receives because it requires each app user to verify their identity with a legitimate phone number and not just an ever so ubiquitous VoIP number. Since most spammers spam for economic reasons (pay per click), having to spend $60 for the sole purpose of receiving a text message so that you’re granted access to use the app (which will ultimately be revoked anyways) renders the whole idea of spamming just pointless and unprofitable. But, I’m off of my soapbox for now.
This blog is dedicated to teaching aspiring and established developers the vulnerabilities and blunders that I’ve encountered. Hopefully, some of you may learn a thing or two from their mistakes.