In doing mobile application (APP, applets, etc.) tests, need to focus on application security.
ZAP is a mobile phone application can be used for the permeability test scan.
Because ZAP is in the form "intermediate agent", intercept and scan all interactive requests the client and the server as a client of a mobile terminal application are of course within their scope.
More ZAP proxy settings please refer to the principles and security testing: OWASP ZAP Guide 2.8 (c): ZAP proxy settings
demand
-
Installed on the PC side of the OWASP ZAP client
- Phone simulator / real machine
Andrews set
We will form a mobile APP is divided into two situations:
APP is not measured using the HTTP protocol, Andrews machine has been root, use ProxyDoid
APP measured using the HTTP protocol, or a mobile site, please use the default proxy Andrews
Use ProxyDroid
ProxyDroid Andrews is a free open source software.
ProxyDroid contains a series of proxy and firewall tools, you can easily implement interactive information guide for APP.
Use ProxyDroid need to get to root your phone.
- Open ProxyDroid
- Modify the proxy agent for OWASP ZAP IP
- Enable proxy switch
- Giving root privileges
-
Make sure the phone and wifi ZAP agents in the same LAN
- Enter the mobile phone "Settings - wireless and network -WLAN"
- Select the connected wifi select "Modify network"
- Check the "Show Advanced Options"
- Select the proxy mode to "Manual"
- Fill ZAP address and port
After configuring the proxy, all access information on mobile applications will be intercepted by ZAP, ZAP intercepted at the same time the implementation of the "passive scanning" their initial sweep again.
Since many of APP may have an authentication operation (applets due openid micro-channel presence but also more limited), so the two kinds of reptiles ZAP: Ajax default reptiles and reptiles are not particularly to the force.
Even after recommendation on ZAP agent, and then the test program manually access, all pages will be recorded ZAP, to be completed before accessing the main page using the "Active Scan" button.