Optimal Shopping compares prices at over 1,000 store locations — but not one of those chains offers a public pricing API. To get the data, we had to go find it ourselves.

The Mobile App Approach

Every major grocery chain ships iOS and Android apps that display real-time pricing. Those apps have to get that data from somewhere. By intercepting the app's network traffic using mitmproxy and a rooted Android test device, we can observe exactly which endpoints return pricing data, what authentication scheme they use, and what request parameters drive the responses.

Authentication Patterns

Chains use three common auth patterns:

  1. Static API keys baked into the app binary
  2. JWT tokens obtained via a device-fingerprint login flow
  3. Cookie-based sessions maintained by an app-side WebView

Each requires a different extraction and rotation strategy. Static keys are trivial once extracted. JWT flows require us to simulate the device fingerprint — we replay the registration request from a consistent UUID that doesn't trigger fraud heuristics. Cookie sessions are the most fragile: they require periodic re-authentication and are sensitive to User-Agent mismatches.

Keeping Up With App Updates

Chains update their apps every few weeks. We run a CI job that monitors app store release notes and pulls new APK builds automatically. If an auth endpoint or request signature changes, it's flagged for manual review within hours.