-1

I have an android app.

I am using api end points like

/latest/articles
/archives/month
/search?q=term

Now my app is for all. So there is not user registration required. It shows some latest articles and archives and search

Can someone know these API end points without the source code?

ʍѳђઽ૯ท
  • 15,369
  • 7
  • 47
  • 103
Santhosh
  • 5,564
  • 7
  • 46
  • 107
  • 1
    Please see https://stackoverflow.com/questions/9555403/capturing-mobile-phone-traffic-on-wireshark. The basic response is yes, EVEN if you use SSL. – ares777 Oct 09 '18 at 09:08

2 Answers2

0

Can someone know these API end points without the source code?

If you're concerning about misusing your API links or the server links in your app, you should be known about sniffing which if you even obfuscate your codes, those links might be able to watch by sniffers.

But, if you're only showing some data on Android side, you shouldn't be worried too much because you're not authenticating users or doing important stuff like update-edit-remove from Android side which effects the server.

TL;DR: Yes, there are a few ways for that However, don't worry about it. Just follow the tutorials and obfuscate the links as it's possible.

Note that you can however Encode-Decode those end-points + API links on Android side too.

ʍѳђઽ૯ท
  • 15,369
  • 7
  • 47
  • 103
  • i mean i am not doing any update edit remove things only display some content – Santhosh Oct 09 '18 at 10:31
  • Yes. I explained that too. No need to be worried since the server is just returning json(for example) as an output and you’re not doing anything which effects on the server side. – ʍѳђઽ૯ท Oct 09 '18 at 10:39
0

Can someone figure out your API endpoints? Yes.

There are various ways to figure your endpoints out, I will mention the two relatively easy ways:

  1. Setting up proxy for phone and inspecting requests:

    • Attacker connects phone with your application installed to their device.
    • Attacker installs their own certificate on the phone and proxies the traffic through their device, where sniffing software is running.
    • Attacker is now able to see outgoing and incoming request in plain-text even if your endpoints are behind HTTPS.

  2. Reverse engineering your application from APK

    • Attacker downloads and installs your application like any other user
    • Attacker acquires APK of your application (it is possible to do this by adb tool)
    • Attacker uses tools like APKTOOL, dex2jar and JD-GUI to acquire and inspect the source code of your application.

Attacker would then look for the strings in your application and eventually they would figure out your endpoints.

Obfuscation, as advertised by other answer, does indeed help to hide your endpoints, but it does not prevent anyone from discovering them. As a general rule of thumb, you should never rely on obfuscation to hide anything that you consider a secret.

Can someone misuse your API endpoints? That depends.

If all your endpoints are used to deliver otherwise publicly available content to your application, then misuse is probably not gonna be an issue.

But let's say that you manually pick the content that will be delivered to the users of your application and the users buy your application, because they want to get an access to your hand-picked selection of content.

In such case, someone can misuse your unprotected endpoints - they can access your hand-picked selection of content and provide it to other users without paying (or for less money then the users would have to pay to you).

Answer to your second question really depends on what you kind of information you provide on your endpoints and how much you, or your users value it.

FanaticD
  • 1,154
  • 3
  • 18
  • 34