.git/info/exclude

When I’m developing, sometimes there are tooling, conventions that not everybody on my team agree to use. For example, I usually use mise for SDK & utils version management, or just as a more expressive alternative to make for defining build recipe. I can define them and add to .gitignore, but sometimes I don’t even want people to know about the presence of those files.

In those cases, I made a habit to reach for .git/info/exclude. It has the same syntax as .gitignore, and serve the same purpose. The difference is that it’s repo-scoped. The exclusion list isn’t published anywhere, unlike the .gitignore file which is also checked in alongside the code.

On reverse-engineering bank APIs

I have a highly customized & complex setup to keep track of my current financial situation. This involve keeping a transaction list that is as detailed as possible. Because I always forget to log my spending, an automatic synchronization system is needed to pull all the transactions from my bank into Actual Budget. The way I managed to do this is through a certain mix of browser automation, reverse-engineered APIs from their apps/website. 💭 💭 I will never publish the code for the reverse-engineered APIs, I’m not ready to be sued for wrongful usage or locked out of my accounts .

The last bank that I did this was a pretty interesting digital bank 1 1 In Vietnam, this is usually a subsidy of a larger commercial bank. They provide a fully online presence & usually have some interesting features. Legally, they operate as a payment service/e-wallet. IANAL. A listicle in English about them  . Me and my partner is looking to move in together, and one of our first concern is to open a joint account for shared expense. Most of the traditional banks don’t support doing e-banking on a joint-account 2 2 Also they usually requires me presenting them with a bunch of paperwork, legality and what not. Some even requires me to present a marriage certificate, which we don’t have because we are not married.  .

The geek in me immediately demanded to find a way to pull transactions from our joint account automatically. It was a pretty interesting rabbit hole to dive into. In short, the process went something like this:

  • I opened their webapp to see the API calls. They have a very transparent API contract 💭 💭 Not everybody does, some of them have a very obtuse legacy backend . However, the feature to view joint account isn’t implemented for the web app
  • The mobile app have this feature. I used Proxyman to try sniffing the API requests, but they implemented SSL-pinning so MITM is not possible
  • I finally have to go the reverse engineering route to solve the problem

Reverse engineering process

  • Use gplaydl to download an APK file from Google play
  • Use jadx to decompile the APK file into a set of Java code (in reality the app was written using Kotlin)
  • Search through the code to find references of the API calls.

I used an LLM agent to help me write a reproduction script to test my finding, alongside with finding clues. It does radically improve my speed to set everything up.