HACKER Q&A
📣 simonpurdon10

Find developers to work on API back-engineering


I'm a PO that's developing a fintech product in South Africa. Our banks don't play nicely in terms of data extraction and APIs are non-existent. No such thing as open banking here.

I am looking to hire a developer that is a specialist in reverse-engineering the API's that the bank's use to connect their mobile apps to their servers. We would then use the structure of those API's to build our own products on top of. We currently have a version of this product that works using scraping, but we're exploring a solution that is more sustainable.

2 Questions:

1. What specific skills should I be looking for in this developer? Native experience? Backend/API-specific? 2. Where best to look for that type of developer, if anyone has any advice?

TIA

  👤 dtx1 Accepted Answer ✓
You should best be looking for a developer that happened to have written that API in the bank in the first place. If you can't get that, you need someone with either strong networking experience so they can RE the API from a network perspective or someone with RE experience to attack them from either their mobile apps or browser apps.

Either way, you are looking for a specialist in reverse engineering with knowledge in the networking field and no issues with doing the reverse engineering depending on what the law is in SA.

Where to look for that kind of developer? In the Hacker/Security Community. Your problem will be that you need that someone to stay on your payroll to quickly adapt to the banks changing their API because they won't like 3rd parties using them, so contractors are probably out. Now, Security Experts are not cheap, they are in high demand and if they are competent they won't be interested in doing busy normal dev work while they wait for an API Change.

Also, you don't need ONE you need A LOT of them, because when (not if) the banks change their APIs to fuck with your product, you don't want to rely on a single engineer as the only one able to do it, since it's likely core to your product, you'll need redundancy.

I don't know how the Sec/Hacking community in SA is, but if you need to rely on specialists outside of SA to do it, be prepared to pay... a painful amount.

👤 freds39
Use wireshark or similar to watch network traffic between app and API endpoint to determine technology. If standard TLS is used the approach should be something on the line of:

1. Create private CA with openssl.

2. Add CA certificate to mobile trust-store.

3. Start internal DNS server with entry for Bank API endpoint

4. Create certificate for endpoint using CA above

5. Start API (TCP? HTTP?) proxy with certificate/key above proxying+recording all API calls.

6. Start mobile banking app on mobile with CA certificate

If the banking mobile app has already pinned the API endpoint certificate uninstall and reinstall the app. With the recorded information you should be able to reverse engineer the API. So you need an engineer with basic understanding of PKI, HTTP and your chosen mobile app development tools.

👤 vaccc
I'm confused by your wording.

Are you trying to build a new fintech product that will have zero connection to these banks? Or, are you trying to build a product that interfaces with these banks by trying to piggy-back off of their own APIs?