I was looking for a company to help me build a small prototype for an idea I had for a mobile application. So to find a company I asked around, and someone mentioned the company Boolex. I naturally wanted to check out the quality of their work before going any further.

They didn’t list any references, which was the first warning sign, but upon contact they mentioned they created the game GolfQuis for iOS.

My first tool of choice is usually mitmproxy, a Python application that can run as a proxy; it lets me inspect the traffic made by whichever clients that connect.
To run it, you first need to get your computer and your device on the same network, then run mitmproxy -p 4242, and point the device to use the proxy with the IP of your computer, with the port of 4242.

I downloaded GolfQuis and listened in on the traffic. First, I created a user, and my username and password was sent to...

Okay, it is 2015, we all know that is it a horrendously bad idea to store passwords in cleartext.

Yet, when I log in to Tsohost’s interface I am greeted with this:

Ugh! So either they store one version of the password in cleartext, and shows that to the user, or they store the current version of the password.

Fortunately, it is really easy to switch to a new safer password scheme when you are already storing passwords in cleartext.

To recap Jeff Atwood’s post on the subject:

Use bcrypt to store passwords.

And if you want to do it really well, you should probably consider using scrypt instead.

But anything is better than storing passwords in cleartext!

I have to admit, one of my hobbies include watching API implementations and looking at the traffic flow between clients and backend-servers.

Teazr is the new kid on the block in the dating app scene, it is built by three danish guys, and they just recently received $250.000 in funding to take on the american market.

Their goal is to make dating more safe, so when you match with another user, you are forced into taking a picture of yourself, and you will get a picture in return from your match.
They claim that this process is unbreakable, and that this can’t be automated, and because of this their app is free of the robots that haunts their competitors like Tinder.

I wanted to see which kind of data that the app uses, and how it communicates with the backend. I used Charles Web Proxy to intercept the traffic, and the interface looks like this:

(I have since moved on to use mitmproxy...