Nathan Reynolds

πŸŽ„ Reverse engineering Hallmark's app with Claude Code

← Home Β· November 19, 2025

I need Hallmark's Christmas movie schedule (for marriage-related reasons)

  • Option 1: copy/paste movie listings from a website. 😴
  • Option 2: spend $20 on an LLM and reverse engineer an Android app for fun.

Given my aversion to unboiled water the choice is clear.

Let’s grab the Hallmark APK and have at it.

Β 

I’ve written about reverse engineering Android apps the hard(er) way.

How it went down with Claude code:

Hey Claude, I want to reverse engineer this Android app for which I lost the source code πŸ˜‰. The xapk is in this directory. Give me readable code to work with.

It output Java files! I expected Smali but it used a decompiler πŸ‘Œ

The files are obfuscated - minified names etc. That’s fine, it takes longer to read through but still achievable.

Or - throw more LLM at it.

Hey, Claude:

List the API endpoints called from this decompiled Android app. Figure out how authentication works.

πŸ€– POST auth/create - Register device
πŸ€– GET app/franchise/{id} - Get franchise details
… and so on

πŸ‘

Β 

Create example typescript demonstrating the signup process. My email is redacted@gmail.com.
You can suffix the username with β€œ+” and a random number for testing. Run the signup script. Verify the signup endpoint returns a successful response.

πŸ€– The API responded. It's returning a 400 error because the field names are different. Let me look at the actual User entity structure and update the script.
πŸ€– The API expects name and surname instead of firstName and lastName.
πŸ€– The signup endpoint is working successfully! Let me create an enhanced version of the script with better documentation and add a confirmation script as well.

I noticed the signup API returns a confirmation URL. Can we use that to complete signup? Provide a script that does so.

πŸ€– The confirmation body needs id, deviceId, and confirmationToken. Let me look for how to generate a device ID.
πŸ€– The confirmation worked (200 OK) but the response format is different. Let me check what we got back.
πŸ€– The script successfully obtained a working JWT access token valid for ~1 year, and verified it works by successfully calling the authenticated /app/settings endpoint.

πŸ’ Neat.

That is fantastic, well done you. I’ve saved an access token to token.txt. Using this, can you write a script that lists movies?

tl;dr: Yes.

Very impressive.