man working on computer reverse engineering his APIs

Whether redesigning an aircraft’s engine or rebuilding a medical device, you can learn about many aspects of a thing by simply taking its structure apart and then putting it together again. This is the concept of reverse engineering, which involves extracting knowledge or a blueprint from something. Reverse engineering APIs is important for your business’ success, as you can see from this example.

Although this process was initially used for hardware, reverse engineering is extensively used for software and databases. It essentially involves opening up the “program box” of software and identifying the different components of a program and how they work together.

A famous example of software reverse engineering involves San Jose-based Phoenix Technologies, which produced a BIOS for PCs compatible with the proprietary BIOS of IBM PCs.

Phoenix employed a cleanroom approach to creating a copy of the program without referring to the source code. Through reverse engineering, the developers could analyze the IBM BIOS in detail and describe its functionality.

The company’s programmers then created a new code according to the description provided by the developers. So, Phoenix was successful in creating a new BIOS with a unique code, but one that worked like the IBM code. In doing so, the company avoided copyright infringement and also earned profits by selling the BIOS to companies that then manufactured PCs that were IBM compatible.

DreamFactory Hosted Trial Signup

Generate a full-featured,documented, and secure REST API in minutes.

Sign up for our free 14 day hosted trial to learn how.

Why Reverse Engineer APIs?

Interoperability is one of the main reasons for reverse engineering APIs. Unlike a few decades ago, when software could exist in isolation, nowadays, a program runs on a complicated operating system and involves communication with several libraries created by different people. Reverse engineering APIs for interoperability involves API integration and learning new ways in which programs can exchange and use information. Reverse engineering is also instrumental in exposing security failures and inefficient privacy practices. For instance, the healthcare industry witnessed a record number of data breaches in 2021, according to the Department of Health and Human Services. Reverse engineering can solve this problem by tracing the source code to identify significant security flaws, ensuring your system’s safety.

Web Proxy Tools Used for Reverse Engineering APIs

Developers use tools to implement a proxy to reverse engineer a private or public API. A web proxy server is an alternate server that can capture HTTP requests between the website’s real server and the web browser. You can use any transparent HTTP/S proxy for this purpose.

  • Mitmproxy: MITM is an acronym for Man-in-the-Middle, and it is an open-source proxy with a console interface for HTTP/1, HTTP/2, and WebSockets. 
  • Fiddler: Fiddler is a debugging proxy tool with an enhanced UI for Windows, Linux, and macOS.
  • Burp: Burp is a web proxy server that intercepts traffic between the browser and the target applications. It can test any REST API endpoint if you are using any typical client for that endpoint to generate traffic.
  • Postman: This is an API platform for creating and using APIs. You can configure your custom proxy settings with Postman so that it can forward your HTTP/S requests through a proxy server.

Steps to Reverse Engineer APIs Using MITM Proxy

Step 1: Install the executable from mitmproxy.org to start the server.

Step 2: Open port 8080 or disable the firewall.

Step 3: Go to your phone’s Wi-Fi settings and navigate to Proxy Server to enter the IP address of your PC.

Step 4: Go to http://mitm.it/ on your Android phone and install the required certificate. For iOS, you need to visit your iPhone’s settings and confirm the installation of the recently downloaded certificate.

Step 5: Go to a website on your Chrome browser, and you will be able to view the traffic on mitmproxy.

Step 6: Explore any private API and get acquainted with the endpoints of the API and its JSON payload format.

Step 7: Replicate the API calls to view different options.

When replaying a request in mitmproxy, you should identify the obligatory headers. To test the API, you can also use browser extensions such as Postman. However, in doing so, you cannot avoid unnecessary headers that get created.

Steps to Reverse Engineer an API Using Postman

Postman makes it easier to replicate a request by rendering the client requests more visible. You can also use Postman to inspect a single request or a stream of requests. Here are the steps to import a single request.

Step 1: Go to ChromeDevTools and right-click to select Inspect to open the panel.

Step 2: Navigate to the Network tab to view network requests.

Step 3: Select the request you want to import to Postman.

Step 4: Right-click on the request and select Copy as cURL.

Step 5: Now, go to the Postman app and click on the Import button.

Step 6: Navigate to Paste Raw Text and paste your cURL and authorize the import. Your request is now successfully imported to Postman for further inspection.

These steps are just to get you started inspecting HTTP traffic on a website and understanding what’s happening. Sometimes the website may use SSL certificate pinning that restricts the certificate considered valid for a particular website. It is important to note that if the website employs certificate pinning, these steps may not work. Also, you may encounter complex requests that need to be authenticated.

DreamFactory Hosted Trial Signup

Generate a full-featured,documented, and secure REST API in minutes.

Sign up for our free 14 day hosted trial to learn how.

Final Thoughts

Reverse engineering is a powerful tool that helps software developers improve their code and the interoperability between different programs. Sometimes, APIs are not written correctly, so third-party developers have no choice but to reverse engineer the programs they want to work with.

DreamFactory allows you to configure API calls from multiple databases, which boosts your reverse-engineering efforts. Start your 14-day trial here.

Related Reading