Hacking Android Source Code
It is most easy way to get back door entry into any companies REST endpoints.The prerequisites for doing so is android development knowledge and native android application instead of a hybrid application. The process of doing so is simple and as follows :-
1.)Download your apk from apkpure.com
2.)Decompile the apk to get source code using javadecompilers.com/apk.The process is to upload apk and get the decompiled zip file.
3.)Open the source code in code editor like eclipse or intellij.
4.)Check the library package names in the source code to tell network library used and check the source code accordingly for rest api calls and there payloads.
5.)Use postman to replicate the Rest api calls.
How to protect your android application
1.)Firstly use dexguard against proguard for code obfuscation
2.)Try to make your client as dummy as possible and let the server handle most of the processing.
3.)Adding and Deleting REST apis should be backed by multi factor authentication.
4.)Implement rate limiter on server to prevent dos attacks on unauthenticated apis like login and registeration.
Another way is to use the Key Hash generated (https://stackoverflow.com/questions/5306009/facebook-android-generate-key-hash) in all the API requests that you make. This key hash is unique to the key that you use for signing the APK and can be generated during runtime. Even facebook SDK uses this strategy and have open-sourced their SDK code on github.
Daniele Bortoluzzi