Decompiling Mobile Binaries to Extract Hidden API Endpoints

Traditional API security testing often relies on dynamic analysis through intercepting proxies like Burp Suite or Charles. While effective for observing active traffic, this method only reveals endpoints triggered during manual navigation. It fails to expose hidden administrative routes, beta features, or dormant endpoints intended for future releases.

Static analysis fills this gap by examining the compiled binary directly to understand the full application surface. By reversing the code, engineers can discover hardcoded environment variables and internal routing logic. This approach identifies how the application constructs requests before they are even sent over the wire.

The methodology involves converting machine-readable instructions back into a human-readable format. For Android, this means reversing the Dalvik Executable format back into Java or Kotlin code. For iOS, it involves disassembling Mach-O binaries into assembly or pseudo-C code to find logic patterns.

Static analysis is not just about finding hidden strings; it is about reconstructing the mental model of the original developers to predict where vulnerabilities might exist.

Android applications are distributed as APK or AAB files, which are essentially specialized ZIP archives. These archives contain the compiled bytecode in DEX files, along with resources and a manifest. To understand the API interaction, we must decompress these assets and convert the bytecode into a navigable format.

Apktool is the industry standard for unpacking the manifest and resource files. It decodes the binary XML files into a readable format and converts DEX files into Smali code. Smali is an intermediate representation that is useful for patching but difficult for high-level logic analysis.

For a higher-level view, JADX is the preferred tool for converting DEX files back into Java source code. It provides a searchable interface that allows developers to jump between class definitions and method calls. This makes it significantly easier to trace the flow of data from a user interface component to a network request.

• Apktool: Best for resource analysis and binary patching to bypass security controls.
• JADX: Best for understanding business logic and mapping internal API routing.
• Ghidra: Used for analyzing native libraries written in C or C++ via the Java Native Interface.

Developers often use tools like ProGuard or R8 to obfuscate their code before release. This process replaces meaningful class and method names with short, nonsensical strings like a, b, and c. While this makes reading the logic harder, it does not hide hardcoded strings or the overall structure of the network calls.

To combat obfuscation, you should focus on constant values and library signatures. Many developers leave sensitive information in the strings.xml file or as hardcoded constants in a Config class. These can include API keys, third-party service credentials, and base URLs for staging or development environments.

A common pattern is to search for protocol strings like https or file extensions like .json. This often leads directly to the core configuration logic of the application. Once the base URL is found, you can use the Find Usages feature in JADX to see every method that interacts with that server.

1import os
2import re
3
4# A simple script to crawl decompiled source for potential API endpoints
5def extract_endpoints(directory_path):
6    # Regex to find patterns like "https://api.example.com/v1/..."
7    url_pattern = re.compile(r'"https?://[\w\.-]+(?:/[\w\.-]*)*"')
8    
9    for root, dirs, files in os.walk(directory_path):
10        for file in files:
11            if file.endswith(".java") or file.endswith(".smali"):
12                with open(os.path.join(root, file), 'r') as f:
13                    content = f.read()
14                    matches = url_pattern.findall(content)
15                    if matches:
16                        print(f"Found in {file}: {matches}")
17
18# Example usage pointing to the JADX output folder
19extract_endpoints('./decompiled_source/sources')

Reversing iOS applications presents different challenges because they are compiled to native machine code for ARM64 architectures. Unlike the intermediate bytecode of Android, iOS binaries must be analyzed using disassemblers. This requires a deeper understanding of assembly language and the Objective-C or Swift runtime.

The first step is often decrypting the application binary, as apps downloaded from the App Store are encrypted with FairPlay DRM. Tools like Clutch or Frida-ios-dump are used on jailbroken devices to dump the decrypted Mach-O file. Once decrypted, the binary can be loaded into tools like Hopper Disassembler or Ghidra.

iOS apps written in Objective-C are particularly verbose in their metadata. Even in compiled form, the binary contains the names of classes and methods. This allows researchers to search for terms like API, Client, or Network to find the logic responsible for communicating with the backend.