top | item 30448224

(no title)

freds39 | 4 years ago

Use wireshark or similar to watch network traffic between app and API endpoint to determine technology. If standard TLS is used the approach should be something on the line of:

1. Create private CA with openssl.

2. Add CA certificate to mobile trust-store.

3. Start internal DNS server with entry for Bank API endpoint

4. Create certificate for endpoint using CA above

5. Start API (TCP? HTTP?) proxy with certificate/key above proxying+recording all API calls.

6. Start mobile banking app on mobile with CA certificate

If the banking mobile app has already pinned the API endpoint certificate uninstall and reinstall the app. With the recorded information you should be able to reverse engineer the API. So you need an engineer with basic understanding of PKI, HTTP and your chosen mobile app development tools.

discuss

simonpurdon10|4 years ago

Thank you!