September 16, 2014 at 10:23 am #4091RonanKeymaster@ronanSeptember 16, 2014 at 11:02 am #4094GitaParticipant@gita
Is there any guide somewhere that would help me setup proxies to iOS / Android apps?September 16, 2014 at 11:05 am #4095
Thanks for the presentation 😉
it was well understood in the combination with Stephan giving the intro steps in mobile testing as such – as well i recently got an intro training in security testing for web apps. I enjoyed this.
Question would be – what else asside proxy could be used for not vert technical people. You mentioned the getting the sources (parsing class files to java ect. )
is there something else cool to look into, that you could suggest? 🙂
~~ ~~September 16, 2014 at 11:18 am #4096DaraghParticipant@daraghmSeptember 16, 2014 at 11:19 am #4097
Thank you for the presentation. Like Stephen’s presentation earlier, it was excellent and combined with his presentation gave a valuable insight into how to test mobile app devices and software.
A question I have is are there any simulators that you would recommend to test Android/iOS phones? and how much testing should include the simulators as part of the testing?
ThanksSeptember 16, 2014 at 11:20 am #4098
Here are a few links to some of the things I mentioned in my talk:
- OWASP Top Ten Mobile Security Risks is a list of mobile risks that are worth considering. Remember that your own stakeholders are what really matter. This is just a starting point.
- Go Mobile Add-on for Firefox. Simply sets your User Agent header to be a mobile header, so that web servers often send you the mobile version of their content. Only useful for mobile web sites. Not useful for testing the web services side of a mobile app.
Happy to answer your questions.September 16, 2014 at 11:21 am #4099
aaw but i like it here 😀
~~ ~~September 16, 2014 at 11:27 am #4100
ThanksSeptember 16, 2014 at 11:28 am #4101
Daragh – i see some cool questions/answers in the chat transcript – any chance the info gets stored here somehow?
~~ ~~September 16, 2014 at 11:28 am #4102
For iOS the only one is the built-in simulator that comes with XCode.
For Android, it’s the Android emulator or Geny Motion.September 16, 2014 at 11:32 am #4103DaraghParticipant@daraghm
Yes we have all transcript saved so we’ll look and sharing the views and opinions expressed here on TEST Huddle 🙂September 16, 2014 at 11:36 am #4104
Awesome! THANKS Daragh 😉
~~ ~~September 16, 2014 at 11:47 am #4105
With mobile security testing, would anyone know what jailbreak means again please?
ThanksSeptember 16, 2014 at 11:56 am #4106
Here’s an article on using Charles Proxy with an iPhone: http://www.charlesproxy.com/documentation/faqs/using-charles-from-an-iphone/. That’s a fine tutorial The instructions are largely the same for Android, just finding the equivalent settings.
Once you have your mobile device routing through the proxy, all the standard guidance on how to use a proxy applies.September 16, 2014 at 11:57 am #4107
Andy -> http://www.wikiwand.com/en/Jailbreaking_(iOS) (thanks to Stephan 🙂 )
~~ ~~September 16, 2014 at 11:59 am #4108
Cheers 🙂September 16, 2014 at 12:00 pm #4110
Andy: The thing with iOS is that, unless you jailbreak the phone, you can’t install any software other than via the Apple store. This is intended to be a feature and Apple works hard to prevent people from being able to bypass their security restrictions. As an end user I never jailbreak my personal devices because it’s risky. As a tester, however, jailbreaking allows you to get under the bonnet of an app and find out what it’s doing. For example, you can see local storage, API calls, and other behaviours. This is important from a testing point of view because we care what’s really going on under the hood. I think it is of dubious value to end users, though. Because it opens an iOS device to the same sorts of malware and mischief that occur on Android, which they’d otherwise be protected from if they didn’t jailbreak.September 16, 2014 at 12:06 pm #4111
On Android, APKs are nothing more than zip files. They’re signed Java packages. You can unzip them, decompile them, and produce .java files from .class files. At that point, security-critical things like passwords, encryption keys, enrolment tokens, and more are all visible. So someone can just download the apk off the google play store, extract your source code, and look for interesting secrets that the developers thought were “hidden” in it. Fun times.September 16, 2014 at 12:09 pm #4113AfreenParticipant@ahossain
You need to install the certificate and add the host in SSL under proxy settings to catch https calls. Like Paco said, charles has pretty good documentation on it.
@Paco: There are few extentions in web browsers that will allow you to test SQL injection or cross site scripting check, like Inject-me, XSS-me in firefox. Do you know about anything similar for mobile?September 16, 2014 at 12:22 pm #4115
@ahossain: I don’t know of any automations against the client-side code running on the mobile device. That’s one of the big difficulties of the mobile platform at the moment. We’re kinda lucky to have the simulators and emulators.
I also think it’s important to distinguish between client-side concerns and server-side concerns. The server side is the one where we care about SQL injection and XSS (except in the rare case I mentioned above, where you have a badly-implemented webview app). Mobile apps have dramatically different security concerns. And we test the mobile server services for (XSS and SQLi the same way we’ve always tested web services for those issues.
Popular mobile risks are things like data disclosure, weaker security controls than our web channels (e.g., the web requires 2-factor auth, but the mobile doesn’t) and trusting the app to do authorization (e.g., assuming that if we tell the mobile app that it’s logged in as a low-privileged user, it will not generate a high-privleged request, thus we omit the authorization check on the server side.). We need to make sure we’re covering the new situations that we’ve never had to deal with before, as well as all the old server-side stuff that’s still there.September 16, 2014 at 5:29 pm #4138PadmarajParticipant@padmaraj
I totally agree @Paco pint of view on OWASP Top Ten Mobile Security Risks, because hacker can attack from any weak place in the overall IT Infrastructure .
I still love to use “fiddler” time to time for security check. I am testing ios & android native app and win application. With fiddler tool I cover many issues(API, HTTP(s), Web session) with application.
Please list the tools in sequence with respect to the
- You must be logged in to reply to this topic.