[sccxy]

> Mobile apps have no choice but to use HTTP APIs. You can easily download a lot of iOS apps through the Mac App Store, then run strings on their bundles to look for endpoints.

Are there any good tutorials for that? 'strings' is not the greatest name for searching good information.

[spondyl]

Just to clarify a bit more for those who are new to strings and because the audience for the post may learn towards people fresher to reverse engineering:

While most of the time, you're dealing with variables and such in programs, at some point you have to hardcode some information such as URLs to query so something like

BASE_URL = "https://example.com" result = requests.get(BASE_URL + "/api/blah"

If we pretend this is in an Android app which is stored as an apk file (a zip file basically), running strings would spit out "https://example.com" and "/api/blah"

It'll also spit out anything that appears to be an ASCII character so plenty of junk but it's often quite handy as a starting point.

There are, of course, much more precise tools such as man in the middle proxying but that you'll only capture traffic for endpoints actually used by said app. The app may contain other endpoints let unused, rarely triggered and so on.

[jonhohle]

`strings` is the Unix command line utility[0] of the same name.

  strings file

will tell you all of the ASCII strings in file.

0 - https://www.unix.com/man-page/osx/1/strings/

[poincaredisk]

    strings -el

For utf-16 encoded ascii strings (very useful when dealing with windows executables).

[syntaxing]

I was about to post the exact thing, I dont see any thing API related to iOS apps on Google.

Edit: After some Google-ing and trying it on my macbook, there is a native CLI tool called "strings". Supposedly it does the following: strings is primarily used to find and display printable character sequences in binary files, object files, and executables. Which means the author is probably looking at the app to see the hardcorded characters in the app binary(?) and searching for the API end points.

[emilamlom]

Just for context, strings is super commonly used when reverse-engineering anything. It's a great first-step because it's easy, fast, and get's some decent clues to help you get your bearings in an unknown binary file.

[anthk]

Among 'nm' and 'binwalk e $FILE'.

[TeMPOraL]

"strings" is a Unix CLI utility that automates the equivalent of a tried and true practice on Windows: opening an executable file in Notepad.exe and scrolling around until you find human-readable text (usually near the end of the file).

[sva_]

If you want to RE some android apps HTTP or even HTTPS, it's more straight-forward to use httptoolkit and frida. Might be a bit rough the first time you do it, but once its set up its a breeze. You can intercept calls and even modify etc

https://httptoolkit.com/blog/frida-certificate-pinning/

https://github.com/httptoolkit/frida-interception-and-unpinn...

[pimterry]

This is actually now built into HTTP Toolkit, so it's easier than it sounds - if you connect a rooted device, there's an "Android app with Frida" interception option that installs Frida and runs the scripts above for you against any given app on the device automatically. Funded by the EU! https://nlnet.nl/project/AppInterception/

[instalabs]

Not sure what "strings" is, but I always use Charles Proxy to inspect traffic for any mobile app: https://apps.apple.com/us/app/charles-proxy/id1134218562

[out-of-ideas]

gnu strings: (first google result from "gnu strings" search) https://sourceware.org/binutils/docs/binutils/strings.html

[JonChesterfield]

strings is a unix program that shows you strings in a binary file

[mooreds]

I googled a bit and found this, which points to some other tools.

https://www.corellium.com/blog/ios-mobile-reverse-engineerin...

(No affiliation.)