Toward discovering and exploiting private server-side web APIs

Jia Chen, Xingmin Cui, Ziming Zhao, Jie Liang, Shanqing Guo

Research output: Chapter in Book/Report/Conference proceedingConference contribution

3 Scopus citations


Many service providers including large enterprises have released their own applications (apps) that incorporate HTTP clients to facilitate the communications with their servers. The workflows of and APIs used by a web app and its corresponding mobile app are not always the same. We call the APIs found in apps private web APIs in that they are only supposed to be invoked by apps that developed by the service providers themselves. However, checking the origin of an HTTP request is very difficult, and private web APIs can be easily invoked by other entities. Hence, it is imperative to study if private web APIs provide the same level of security checks and validations as their public counterparts. To automatically discover the undocumented private APIs in Android apps, we design a system that uses static analysis to find the activities that invoke web APIs. Our system then runs the discovered activities on a customized Android system to monitor its HTTP requests and responses. We evaluated our system on 76 popular apps on the Google Play market. Our system successfully run 48 apps and discovered many private server-side APIs from more than 30 apps. Further manual investigation discovered that 9 of the apps have vulnerabilities that would enable API misuse and session hijacking.

Original languageEnglish (US)
Title of host publicationProceedings - 2016 IEEE International Conference on Web Services, ICWS 2016
EditorsStephan Reiff-Marganiec
PublisherInstitute of Electrical and Electronics Engineers Inc.
Number of pages8
ISBN (Electronic)9781509026753
StatePublished - Aug 31 2016
Event23rd IEEE International Conference on Web Services, ICWS 2016 - San Francisco, United States
Duration: Jun 27 2016Jul 2 2016

Publication series

NameProceedings - 2016 IEEE International Conference on Web Services, ICWS 2016


Other23rd IEEE International Conference on Web Services, ICWS 2016
Country/TerritoryUnited States
CitySan Francisco


  • Android apps
  • Dynamic analysis
  • Static analysis
  • Web APIs

ASJC Scopus subject areas

  • Software
  • Computer Networks and Communications


Dive into the research topics of 'Toward discovering and exploiting private server-side web APIs'. Together they form a unique fingerprint.

Cite this