demo.mp4
A proof-of-concept Python script demonstrating reverse engineering techniques for a mobile application's private API.
This project is for educational purposes only and should not be used for any malicious or unauthorized activities. For legal reasons, the real values and app name have been redacted.
The reverse engineering process began with Burp Suite configured as an HTTPS proxy to intercept traffic between the Android application and its backend services. By analyzing the captured requests, I identified that the app uses Firebase Authentication for user login, specifically calling googleapis.com/identitytoolkit/v3/relyingparty/verifyPassword with custom headers including X-Android-Cert and X-Firebase-Appcheck tokens extracted from the APK. This is implemented in login(), which returns a JWT bearer token and refresh token for subsequent API calls. Token expiration is handled by refresh_token().
For the image upload functionality, I discovered the app implements Firebase Storage's resumable upload protocol. This involves a two-step process: before_upload_image() initiates an upload session via a POST request with X-Goog-Upload-Command: start to obtain an upload URL, then upload_image() sends the actual image data with X-Goog-Upload-Command: upload, finalize. The response is processed by parse_upload_response() to construct the final image URL from the storage bucket path and download token.
Finally, I identified the undocumented postMomentV2 endpoint, implemented in post_moment(), which accepts the uploaded image URL along with overlay configurations for captions, text colors, and analytics metadata. The script replicates all required headers and payload structures to successfully post content through the private API.