I Spent Three Weeks Reverse Engineering a Mobile App’s API — Here’s What It Took

A while back, a client asked me a deceptively simple question: "Can you find out how our competitor's...

sabato 20 giugno 2026 New tab

664 words~3 min read

A while back, a client asked me a deceptively simple question: "Can you find out how our competitor's mobile app talks to its backend?"

No public API docs. No Postman collection floating around GitHub. Just a Flutter app, a few permissions in the manifest, and a backend that clearly wasn't expecting anyone to come knocking.

I said yes before I fully understood what I was signing up for.

The First Wall: Flutter Doesn't Decompile Like a Normal App

If you've reverse engineered a native Android app before, you know the drill — pull the APK, run it through a decompiler, read mostly-readable Java or Kotlin, find the API calls, done in an afternoon.

I Spent Three Weeks Reverse Engineering a Mobile App’s API — Here’s What It Took

I Spent Three Weeks Reverse Engineering a Mobile App’s API — Here’s What It Took

Related reading

App Making Coding Explained: From Beginner to Advanced Development | FlutterFlow

I Built an Android App With Zero Backend — Here's What Happened

⚚ I reverse-engineered my mobile operator's APK — then Hermes Agent wrote the…

Extracting a QR login from a production app and closing 11 security holes…

I Built a Free Open-Source Alternative to Sourcegraph — Here's Why"

Bringing Gemma 4 E2B to the Edge: Building a Privacy-First Dream Analyzer with…

Related reading

App Making Coding Explained: From Beginner to Advanced Development | FlutterFlow

I Built an Android App With Zero Backend — Here's What Happened

⚚ I reverse-engineered my mobile operator's APK — then Hermes Agent wrote the…

Extracting a QR login from a production app and closing 11 security holes…

I Built a Free Open-Source Alternative to Sourcegraph — Here's Why"

Bringing Gemma 4 E2B to the Edge: Building a Privacy-First Dream Analyzer with…