> They surely read the copyrighted decompiled code
Do they? When it comes to reverse-engineering mobile app APIs, the usual strategy is to observe the network because it's so much easier than making sense of the disassembled binary.
Even if you can decompile, you'd generally use it as an aid to understand the network captures rather than using it as your primary source.
While if possible, it's the best course of action, the truth is these days additions like HSTS make it extremely difficult to MITM.
Additionally, MITM and trying things out on a toaster are one thing, doing the same on a 40k$ machine that can potentially make it impossible to do your commute is another.
This is IMO a prime example where the double team rev eng is key to success: one documents the API, the other uses it without having access to code (whiteroom)
HSTS interferes with MITM when the mobile device in question doesn't allow you to install new certificate authorities (as is slowly becoming the case).
Do they? When it comes to reverse-engineering mobile app APIs, the usual strategy is to observe the network because it's so much easier than making sense of the disassembled binary.
Even if you can decompile, you'd generally use it as an aid to understand the network captures rather than using it as your primary source.