In order to locate and test insecure API endpoints in mobile applications, we can follow these steps:
1. We can start with using Burp Suite, MITMProxy, or Charles Proxy to inspect API requests/responses between the mobile app and the server.
2. Next we can analyze the API endpoints by checking for authentication issues like missing tokens or weak token validation.
3. We should also test for improper authorization like IDOR, etc.
4. Also, we can look for sensitive data exposure like unencrypted responses or API keys.
5. After that, we can start testing for vulnerabilities by using tools like Burp Suite's Intruder to send fuzzed inputs and see how the API responds.
6. We can also try manual tampering with parameters or headers like changing user IDs to access other user's data.
Now, talking about the tools that can be used for reverse engineering and exploiting APIs:
1. We can use tools like Jadx or Apktool to decompose a mobile app APK to reveal API endpoints, hardcoded keys, or tokens.
2. Tools like Frida or Objection can be used to hook into the app at runtime in order to modify any API requests dynamically or bypass any security controls.
3. Then we have Postman to test and automate API calls to exploit weaknesses in requests/response handling.
These tools & techniques can help in locating the API and finding potential vulnerabilities like broken authentication, data leakage, and improper access control.
