You can do basic reverse engineering to its mobile app using `jadx`or `apktool` and search for keywords like (http, https, <domain-name>, etc).

By simply deducing from its name:
Maybe you encounter subdomain like "java.target.com", immediately search for Java environment files and use it as ur word list

Or u encounter "admin.target.com", you can try dirs like "admin" or searching on LinkedIn for the admin of your program and use his name as directory

Maybe searching for the GitHub of the developer gives you some information about the patterns he uses