Abusing Web APIs Through Scripted Android Applications

While many of my colleagues were away at Blackhat, Defcon, and Bsides Las Vegas I decided to spend a day exploring through an Android app. I became interested in this particular app due to it being the “official” app of a popular web service that included some functionality not exposed to end users through the API that they’ve provided. I was reasonably sure that some spammers on this web service were using this functionality and I was interested to see just how difficult it was to do. Fun began.