[solarkraft]

I need to pirate a backend, but I don't know the API.

A fitness tracker I have (Jawbone Up Move) is coupled with an app, which is coupled with an online service, which has been dead since 2017.

Are there any tips, tricks or resources regarding this? Best I can currently do is `mitmdump –set connection_strategy=lazy` (the last part is important so it doesn't try to connect to the original server and throw a weird error), but I don't know what the app wants as a response to its login request.

A look at the decompiled code doesn't immediately reveal much. Are there any common patterns for this type of stuff?

[ivraatiems]

If you can elaborate on (or show, but I realize that's legally hazy) the decompiled source, I think this should be possible to discern. I'd probably start by looking for anything in the source that looks like it's making any kind of network connection, then narrowing it down from there.

Typically, the response to authentication is a yes/no plus a token or other piece of session state for the authenticated app to store. You might poke through the structure of the in-app storage to see where the authentication information lives, and then go backwards from there to where it is set.

Edit: On a cursory google search, https://github.com/ryanseys/node-jawbone-up looks like it might help you.

[zffr]

I would suggest looking at how the tracker communicates with the app and try to reverse engineer that part. Once you are able to communicate with the tracker, you can build your own app.

Trying to reverse engineer the API the app uses seems harder, and is a less direct solution to your problem, IMO