Security Testing: OWASP ZAP 2.8 User Guide (D): ZAP mobile application security scanning

In doing mobile application (APP, applets, etc.) tests, need to focus on application security.

ZAP is a mobile phone application can be used for the permeability test scan.

Because ZAP is in the form "intermediate agent", intercept and scan all interactive requests the client and the server as a client of a mobile terminal application are of course within their scope.

More ZAP proxy settings please refer to the principles and security testing: OWASP ZAP Guide 2.8 (c): ZAP proxy settings

 

demand

• Installed on the PC side of the OWASP ZAP client

• Phone simulator / real machine

 

Andrews set

We will form a mobile APP is divided into two situations:

APP is not measured using the HTTP protocol, Andrews machine has been root, use ProxyDoid

APP measured using the HTTP protocol, or a mobile site, please use the default proxy Andrews

 

Use ProxyDroid

ProxyDroid Andrews is a free open source software.

ProxyDroid contains a series of proxy and firewall tools, you can easily implement interactive information guide for APP.

Use ProxyDroid need to get to root your phone.

1. Open ProxyDroid
2. Modify the proxy agent for OWASP ZAP IP
3. Enable proxy switch
4. Giving root privileges

 

Use the default proxy Andrews

1. Make sure the phone and wifi ZAP agents in the same LAN

2. Enter the mobile phone "Settings - wireless and network -WLAN"
3. Select the connected wifi select "Modify network"
4. Check the "Show Advanced Options"
5. Select the proxy mode to "Manual"
6. Fill ZAP address and port

 

After configuring the proxy, all access information on mobile applications will be intercepted by ZAP, ZAP intercepted at the same time the implementation of the "passive scanning" their initial sweep again.

Since many of APP may have an authentication operation (applets due openid micro-channel presence but also more limited), so the two kinds of reptiles ZAP: Ajax default reptiles and reptiles are not particularly to the force.

Even after recommendation on ZAP agent, and then the test program manually access, all pages will be recorded ZAP, to be completed before accessing the main page using the "Active Scan" button.