Reverse Engineering Undocumented APIs with mitmproxy

A session at API Strategy and Practice Conference 2016

Thursday 3rd November, 2016

1:30pm to 3:00pm (EST)

mitmproxy (https://mitmproxy.org/) is a popular tool for observing HTTP(S) traffic between client applications and their API services by acting as a "man in the middle". The resulting service calls and their payloads can then be extracted and used in other applications and scripts. It also enables savvy users to hold apps accountable for how they transmit a user's private data. Popular apps such as Snapchat have had their APIs reverse engineered in this way, enabling user behavior that is unexpected (and sometimes undesirable) for app publishers. Another example is the small but growing open source community focused on studying the Robinhood stock brokerage app and its undocumented API that, as of this writing, remains open – enabling developers to experiment with $0 commission stock trading scripts.

This presentation will show how to set up mitmproxy on a workstation, connect a second device, and log otherwise secure HTTPS traffic – capturing the underlying API calls to understand the functioning of undocumented 3rd-party APIs. We will also explore what this means for API publishers, app developers, and users concerned about their digital security.

About the speaker

This person is speaking at this event.
chris busse

CTO @APIvista, formerly worked @CapitalOne / @CapitalOneDevEx, @CreateDigital

Sign in to add slides, notes or videos to this session

Tell your friends!


Time 1:30pm3:00pm EST

Date Thu 3rd November 2016

Short URL


Official event site


View the schedule


See something wrong?

Report an issue with this session