In the world of mobile applications, APIs are the heart of communication between the client and the server. Whether you’re hunting bugs, building app clones, testing security, or trying to understand undocumented functionality, reverse engineering mobile APIs has become a powerful skill in the ethical hacker’s toolkit.
In this deep-dive, we’ll walk through a practical, technical guide on how to intercept, analyze, and manipulate mobile app APIs using two of the most powerful tools available today: mitmproxy and Frida.
🔍 Why Reverse Engineer Mobile APIs?
Mobile applications often communicate with backend servers through REST or GraphQL APIs. Many of these APIs are undocumented, obfuscated, or restricted — especially in financial, e-commerce, or proprietary apps.
Ethical and Legal Use Cases:
- ✅ Bug bounty and security testing (with authorization)
- ✅ Pentesting engagements
- ✅ Debugging undocumented APIs
- ✅ Replicating requests for automation or scraping
- ✅ Studying how apps behave in production
⚠️ Important: Always reverse engineer responsibly. Make sure you’re authorized to test an app or its APIs. Unauthorized interception may violate legal agreements and laws.
🧰 Tools We’ll Use
To successfully reverse engineer an app, we’ll need to intercept and modify its network traffic and hook into its runtime behavior.
1. mitmproxy – Man-in-the-Middle HTTPS proxy
Allows you to intercept, inspect, and modify HTTP/HTTPS traffic.
2. Frida – Dynamic instrumentation toolkit
Lets you inject JavaScript into native apps (iOS/Android) at runtime to hook functions and bypass security.
Optional:
- Android device/emulator (with root or Magisk + Frida-server)
- Genymotion or Pixel emulator with Google Play
- adb and Python installed
🧪 Step 1: Set Up mitmproxy for Interception
📦 Install mitmproxy:
pip install mitmproxy
🚀 Start mitmproxy:
mitmproxy --mode transparent
Or use the web version:
mitmweb
📱 Configure Your Device:
- Set the device’s Wi-Fi proxy to your PC’s IP and port
8080 - Install mitmproxy’s SSL certificate on the Android device:
- Visit
http://mitm.iton the device - Download and install the certificate
- Move it to the system cert store (requires root or Magisk):
adb root adb remount adb push mitmproxy-ca-cert.cer /system/etc/security/cacerts/ chmod 644 /system/etc/security/cacerts/mitmproxy-ca-cert.cer
- Visit
🔒 Bypass SSL Pinning (next section)
Many mobile apps implement certificate pinning, which blocks mitmproxy from decrypting traffic. This is where Frida comes in.
🧠 Step 2: Bypass SSL Pinning with Frida
Certificate pinning verifies the server certificate against a known fingerprint — blocking MITM proxies. To defeat this, we inject Frida hooks into the target app to disable pinning logic.
📦 Install Frida:
On your PC:
pip install frida-tools
On the Android device:
- Download the matching
frida-serverbinary for your device’s architecture from Frida’s GitHub - Push it to the device:
adb push frida-server /data/local/tmp/ adb shell "chmod 755 /data/local/tmp/frida-server" - Start the server:
adb shell "/data/local/tmp/frida-server &"
🧬 Inject Frida SSL Bypass Script
Example script:
frida -U -n com.target.app -l frida-ssl-bypass.js
frida-ssl-bypass.js (simplified):
Java.perform(function () {
var CertificatePinner = Java.use('okhttp3.CertificatePinner');
CertificatePinner.check.overload('java.lang.String', 'java.util.List')
.implementation = function (str, list) {
console.log('Bypassing SSL Pinning for: ' + str);
return;
};
});
You can find many prebuilt scripts like frida-pinning-bypass-2 on GitHub, or write your own if needed.
🛰️ Step 3: Intercept and Analyze API Traffic
With SSL pinning removed, mitmproxy will now display all the app’s traffic — including headers, tokens, and payloads.
👀 What to look for:
- Authentication tokens (JWT, session keys)
- API endpoints
- Payload schemas (JSON, Protobuf)
- Versioning and rate limits
- Signatures or HMAC verifications
- Hidden or undocumented endpoints
Use mitmweb for a visual UI:
mitmweb
Filter traffic by host or endpoint. Export requests to Postman or curl using mitmproxy’s export tools.
🧰 Step 4: Replicate Requests Programmatically
Once you’ve reverse engineered a request, replicate it using tools like:
- Postman (for testing)
- Python (requests)
- curl
- JavaScript (Node.js or Puppeteer)
Example Python snippet:
import requests
headers = {
"Authorization": "Bearer <token>",
"User-Agent": "MobileApp/5.2.1",
"Content-Type": "application/json"
}
data = {
"query": "some_data"
}
response = requests.post("https://api.target.com/endpoint", headers=headers, json=data)
print(response.json())
🛡️ Step 5: Dealing with Extra Protections
Some apps implement advanced protections:
- Dynamic signatures (HMAC/SHA with secrets)
- Root detection
- Code obfuscation or native libraries
Countermeasures:
- Use Frida to hook native methods
- Use Frida-trace to auto-discover function calls
- Use jadx to statically analyze APK code
- Bypass root checks by patching or hooking
For advanced apps, combine static analysis (jadx, Ghidra) with dynamic Frida hooks for full visibility.
🧠 Bonus: Extract API Keys and Secrets
Some apps embed API keys or hardcoded secrets in their APKs or runtime memory. Use:
jadxto search for.api_key,secret, orBase64.decodefrida-traceto trace encryption functions
Example:
frida-trace -n com.target.app -i 'javax.crypto.Cipher.doFinal'
🔚 Conclusion
Reverse engineering mobile APIs is a powerful skill for ethical hackers, security researchers, and developers. With mitmproxy and Frida, you can uncover how mobile apps work behind the scenes — whether to test security, understand undocumented features, or create automation scripts.
This guide should give you a solid foundation for safely and responsibly exploring mobile APIs. Always make sure you’re authorized, and respect user data and platform terms.
📌 Key Takeaways
- mitmproxy intercepts and decrypts HTTPS traffic
- Frida helps bypass SSL pinning and inspect runtime behavior
- Combine static and dynamic analysis for complex apps
- Replicate API requests programmatically
- Always act within legal and ethical boundaries