Development Stack

[rhart211]

@NodeJSmith How are you monitoring API calls from the OTF app during development? Specifically, are you using a proxy (like Burp) with the Xcode iOS emulator, or another method? Curious to learn your approach. Thanks!

[NodeJSmith]

I use Android and Windows/Linux so I don't have any familiarity with Xcode or any other ios tools. I did try doing some mitm network snooping but didn't have much luck. I ended up pulling the apk and decompiling it with jadx and have spent a lot of time going through the codebase to find the API calls and data models.

The difficult thing is that 1) the data models are downright awful, they are super inconsistent and sometimes inaccurate and 2) there is a ton of logic being done on the client side and reading through decompiled Java to figure out the logic is a huge pain in the ass. So there are likely more things like the studio on the performance summary that this package is lacking, because it's handled client side and I've really only recreated the straight api calls and data models.

[marcelbarbulescu]

ProxyMan on macOS successfully proxied the OTF app in an Android simulator but required APK patching with apk-mitm.

[NodeJSmith]

Does that just allowing seeing the network traffic going in and out of the app? I'm trying to determine if it's worth my time to get it working, since I've already handled 90% of the api calls.

What I'd really benefit from the most now is a way to see what the input/output of method calls is, for the local data manipulations that are required to display most of the screens.

[marcelbarbulescu]

Just the network traffic. Think of the Network tab in the Chrome DevTools.

[rhart211]

@marcelbarbulescu That's a good idea. I didn't think about using the Android Emulator. I had thought about using the iOS Simulator found within Xcode, but you can't install apps from the Apple App Store unfortunately. My thought was to do the same that you did, but using the proxy in the Burp Suite. You could use this method on an actual phone because Burp does provide the CA so that you can decrypt the SSL traffic.

@NodeJSmith Like @marcelbarbulescu says, it would purely network traffic that you would see. You could how the data is requested and returned. But I think you've figured that out already.