ZAP for mobile security testing

[Anuj Sharma]

Hi,

How can I connect ZAP to emulators for mobile security testing? I am trying to test native mobile application that connects to a web server.



Thanks,
Anuj Sharma

[psiinon]

Hi Anuj,

I'd guess you'll need to configure the emulator to use ZAP as a proxy.
Which emulator(s) are you using?

For android I found this which might help: http://stackoverflow.com/questions/1570627/how-to-setup-android-emulator-proxy-settings

Anyone else done this in anger?

Cheers,

Simon

[Colm O'Flaherty]

I suggest you set up Zap as a proxy for the mobile device (or the device emulator), so all requests made by the device will be handled by Zap.

The default proxy settings in Zap are localhost, port 8080 (IIRC), but you can change these to be whatever you want, if they conflict with a local TomCat instance, for example.

Colm

--
 
 

[Colm O'Flaherty]

Oops.. Hadn't seen your response!

C

--
 
 

[Anant Shrivastava]

As already described ZAP proxy will work as any other proxy. you need to configure it in the emulator.

based on my past experience, give preference to 4.0 or 4.1 version of emulator coz they have better support for proxy.

below 4.0 any app will not get proxfied where as for 4.0 that's automatically handled by the emulator proxy settings.
settings as described here would work like a charm.
http://www.rahinur.com/android-development/android-emulator-proxy-settings.html

-Anant

[Anant Shrivastava]

One more thing which i forgot.
the app with ssl might not work directly in that case just copy the certificate from ZAP proxy to emulator and install it there.

export your certificate from ZAP.
then copy it into emulator /sdcard/ and then

Settings -> Security -> Credential Storage, and select "Install from storage":

That should help you in intercepting the ssl traffic also.

[Anuj Sharma]

Hi,

I've set up the Android SDK and emulators as well. When I launch the Android Emulator using the following command, I can intercept all the http requests and responses from the built in web browser of Android.

emulator -avd <avd_name> -http-proxy localhost:8080

However, I am unable to intercept requests from a hybrid application. I wrote a 2 line code, which would load a URL in the browser. I expected this to be intercepted by ZAP. 

go.setOnClickListener(new View.OnClickListener() 

{

@Override

public void onClick(View v) 

{

ob.loadUrl("http://www.google.com");

ob.getSettings().setJavaScriptEnabled(true);

setContentView(ob);

}

});

        

"go" is a button.

Can you help me in figuring out what the problem is? How can I intercept requests from a hybrid app in android.

Thanks,

Anuj Sharma

[Anuj Sharma]

Got this figured out now. I had not given the Internet permission to the application. After giving the permission, I can intercept the requests.

[psiinon]

Thats good.

Would you be able to find the time to put together some notes on what you needed to do?
It would be great to include them in the ZAP wiki :)

Many thanks,

Simon

[Anuj Sharma]

Hi Simon,

Yes, I would be able to give time to write a wiki. Can you share the process for the same like the format and from whom I would have to get this reviewed?

Cheers,

Anuj

[Anuj Sharma]

Hi Simon,

Yes, I would be able to give time to write a wiki. Can you share the process for the same like the format and from whom I would have to get this reviewed?

Cheers,

Anuj

On Wednesday, 10 October 2012 12:56:10 UTC+5:30, psiinon wrote:

[psiinon]

Great :)
You should have permissions to update the wiki now.

You could add this as a FAQ: http://code.google.com/p/zaproxy/wiki/FAQtoplevel
But if anyone else has any better suggestions then speak up.

Dont mind too much about the format, as long as its as clear as possible :)
We can review it after you add it, or you can post it here if you'd like some feedback before you publish it.

Many thanks,

Simon

[Anuj Sharma]

Hi Simon,

Let me know if this is ok or it needs more details.

I have written for Android Applications and not for iOS, since I've not worked with it's emulators. Maybe someone else can throw some light on it.

"ZAP can be configured for intercepting requests from Android web applications.

1. Configure ZAP to listen to localhost: 8080. Click here to know how to do this. [http://code.google.com/p/zaproxy/wiki/FAQlocalhost]

2. Create an Android Emulator using the AVD Manager. Launch the Android Emulator from the command line using the below command

emulator –avd <avd_name> -http-proxy localhost:8080


The above command is to be executed from the Android SDK tools directory

3. Run the Android application on the emulator. The Http request and responses should now be intercepted by ZAP
"

Cheers,
Anuj

[psiinon]

Will Android developers know how to "Create an Android Emulator" or is it worth spelling out (select this option, etc)?
Other than that, it looks good to me.

Hopefully that will encourage someone else to write one for iOS :)

Many thanks,

Simon

[Anuj Sharma]

I hope that the android developers would be aware of how to use the emulators. I think our scope should be limited for ZAP Confguration.

In addition to what I showed you in the first draft, I think we can add steps for adding digital certificates to ZAP for emulators. I'll do a short write up on it and post it here only.

Afterwards, we can consolidate it and publish it. Let me know otherwise.



Cheers,
Anuj

[Andre Gironda]

On Sun, Oct 14, 2012 at 10:46 PM, Anuj Sharma <anu...@gmail.com> wrote:
> I hope that the android developers would be aware of how to use the
> emulators. I think our scope should be limited for ZAP Confguration.
>
> In addition to what I showed you in the first draft, I think we can add
> steps for adding digital certificates to ZAP for emulators. I'll do a short
> write up on it and post it here only.
>
> Afterwards, we can consolidate it and publish it. Let me know otherwise.

There's WebCruiser and WebSecurify for iOS, but nothing for Android
(dSploit and zAnti do not have web app attack capabilities).

I just want to see ZAP as an Android app for testing non-mobile web
apps. Mercury and andbug suit my testing capabilities better on
Android, and some of the SDK Emulator built-ins such as am(1) and
strace(1) have certainly made my life easier so far when using the
Android platform for development or testing.

Andre

[Anant Shrivastava]

Few more inputs... command line option looks good however it requires you to constantly and everytime start emulator with these options.

alternative approach which works 100% with 4.0 + emulator versions would be.

1) in Settings -> Wireless Networks -> Mobile Networks -> Access Point configuration -> Select entry -> Set PORT and SERVER : keep Port as whatever proxy port used in ZAP and SERVER as 10.0.2.2

2) To import certificate.
first in ZAP go to certificate tab and export certificate then "adb push" the certificate to /sdcard/ and then inside
Settings->Security -> Install from Storage Willl automatically pull the certificate in sdcard and will allow you to install it.

(Note: this method requires you to have a pin number for your emulator)

However this method will save the time for running commands everytime.

Hope this simply guide will help folks.


-Anant

[robkoch86]

Hello,

I would like to add, that the approach described below works for me too.

However, another approach FAILED. I've set the HTTP(S) proxy for the emulator via command line option (-http-proxy http://localhost:<port>). HTTP traffic worked well, but HTTPS produced an: javax.net.ssl.SSLHandshakeException: Remote host closed connection during handshake.

Best wishes,
Robert

[venkat...@gmail.com]

Hi all,

Need help to start mobile applications security with ZAP tool, can you please help me to start how i can test my mobile application security with ZAP tool. While googling i found only videos / setps relevant to web application only, no where i found info on how zap used for mobile application. Please share info / links for to test my mobile application security via zap tool. 

Thanks in advance..

Thanks,

Pavan

[Anshad V]

You can follow this link which explains in detail How to intercept android application using ZAP.

[Anshad V]

How to intercept android app using ZAP

http://techdiscussionforum.blogspot.in/2017/08/how-to-intercept-android-app-using-zap.html

[Anshad V]

How to intercept android app using ZAP

http://techdiscussionforum.blogspot.in/2017/08/how-to-intercept-android-app-using-zap.html

On Friday, 21 September 2012 17:30:55 UTC+5:30, Anuj Sharma wrote:

[Saif Siddiqui]

Hi All,

I was able to install zap certificate on iPhone (real device) and able to see/request and response when launching any https website on Safari browser.

But it is not able to intercept Native iOS application.

Any suggestion,how can we intercept request/response for native application?

Thanks

Saif

[Saif Siddiqui]

On Friday, 21 September 2012 17:30:55 UTC+5:30, Anuj Sharma wrote:

[Andre Gironda]

On Fri, Oct 20, 2017 at 12:36 PM, Saif Siddiqui <saif...@gmail.com> wrote:
> I was able to install zap certificate on iPhone (real device) and able to
> see/request and response when launching any https website on Safari browser.
> But it is not able to intercept Native iOS application.
>
> Any suggestion,how can we intercept request/response for native application?

If you are working with jailed iOS then you will need to repackage the
IPA with a shim (shared library .so file), such as the one from
PonyDebugger:

https://github.com/square/PonyDebugger

[Prajna Hegde]

Hi Simon,

           I want to automate mobile application security testing. So How can I automate zap scanning for mobile application. There is no documentation for automating mobile application security testing using OWASP ZAP. There is only documentation for proxy connection in mobile device and installation of ssl certificate. Please reply back soon.

Thank you.

[kingthorin+owaspzap]

“Drive” the app however you normally would for automation/testing. Proxy all that traffic through ZAP. Automate scanning just like any other web app.