Hacker News new | ask | show | jobs
Ask HN: Find developers to work on API back-engineering
1 points by simonpurdon10 1576 days ago
I'm a PO that's developing a fintech product in South Africa. Our banks don't play nicely in terms of data extraction and APIs are non-existent. No such thing as open banking here.

I am looking to hire a developer that is a specialist in reverse-engineering the API's that the bank's use to connect their mobile apps to their servers. We would then use the structure of those API's to build our own products on top of. We currently have a version of this product that works using scraping, but we're exploring a solution that is more sustainable.

2 Questions:

1. What specific skills should I be looking for in this developer? Native experience? Backend/API-specific? 2. Where best to look for that type of developer, if anyone has any advice?

TIA
3 comments
dtx1 1576 days ago
You should best be looking for a developer that happened to have written that API in the bank in the first place. If you can't get that, you need someone with either strong networking experience so they can RE the API from a network perspective or someone with RE experience to attack them from either their mobile apps or browser apps.

Either way, you are looking for a specialist in reverse engineering with knowledge in the networking field and no issues with doing the reverse engineering depending on what the law is in SA.

Where to look for that kind of developer? In the Hacker/Security Community. Your problem will be that you need that someone to stay on your payroll to quickly adapt to the banks changing their API because they won't like 3rd parties using them, so contractors are probably out. Now, Security Experts are not cheap, they are in high demand and if they are competent they won't be interested in doing busy normal dev work while they wait for an API Change.

Also, you don't need ONE you need A LOT of them, because when (not if) the banks change their APIs to fuck with your product, you don't want to rely on a single engineer as the only one able to do it, since it's likely core to your product, you'll need redundancy.

I don't know how the Sec/Hacking community in SA is, but if you need to rely on specialists outside of SA to do it, be prepared to pay... a painful amount.

link
simonpurdon10 1576 days ago
Thanks, that is super helpful.

There are other products that have done exactly what I described above. They have instant EFT solutions etc. So I'm almost certain there are developers who can do it locally. But that helps.

link
freds39 1575 days ago
Use wireshark or similar to watch network traffic between app and API endpoint to determine technology. If standard TLS is used the approach should be something on the line of:

1. Create private CA with openssl.

2. Add CA certificate to mobile trust-store.

3. Start internal DNS server with entry for Bank API endpoint

4. Create certificate for endpoint using CA above

5. Start API (TCP? HTTP?) proxy with certificate/key above proxying+recording all API calls.

6. Start mobile banking app on mobile with CA certificate

If the banking mobile app has already pinned the API endpoint certificate uninstall and reinstall the app. With the recorded information you should be able to reverse engineer the API. So you need an engineer with basic understanding of PKI, HTTP and your chosen mobile app development tools.

link
simonpurdon10 1570 days ago
Thank you!
link
vaccc 1576 days ago
I'm confused by your wording.

Are you trying to build a new fintech product that will have zero connection to these banks? Or, are you trying to build a product that interfaces with these banks by trying to piggy-back off of their own APIs?

link
simonpurdon10 1570 days ago
The second question is more aligned to what we're doing. We currently interface with banks through a scraper. It's inefficient, slow and at risk of breaking when the banks change their interface.

To be clear - we provide this interface with the banks as a service to other companies who want to use the consumer's data inside the bank account (with their consent of course). A good example is a loan affordability calculation. Instead of asking a user to upload a bank statement, we provide the interface with their online banking profile which allows them to extract raw transaction data more quickly. We then send that data to the company is offering the loan so that they can make an affordability decision.

In our country there are other companies who do the RE method. I am not aware there is another way, other than scraping and that because our banks don't offer external API's.

link
vaccc 1575 days ago
Anyways, I have doubts this is worth your time (and money) regardless of your answer to my question above.

If you're looking to RE these mobile apps solely for inspiration, you're better off hiring senior-level employees with experience working for banks and/or in fintech and starting from there. If you insist on RE-ing something, then try to RE a fintech product that you are trying to emulate.

Alternatively, if you're telling me that you guys plan on somehow piggy-backing off of the banks' APIs, then you need to work directly with the banks. If that's not an option, then your product has already failed and it's time to move on.

link