This simple blog post was motivated by my desire to look at
some mobile applications that I happen to use. I did not choose a specific methodology for testing mobile
applications. What I did was to use some of my knowledge in testing web
applications in general.
To my pleasant surprise I got results that made
me happy, or not.
01 - Catalog Application.
Starting my tests, on the first application I
noticed the web server authentication credentials are simply sent in plain text
using a POST method.
Most of these mobile applications are just simple frontends
for web services.
This behavior has been confirmed in all tested applications.
Some examples.
02 – Auction Application
Let's start intercepting the requests of the mobile
application and doing a simple SQL Injection test:
In this specific case it was possible to notice that the application
consumed by Mobile Application is vulnerable to SQL Injection attacks.
So, one would ask, should I be attacking a Web Application
or the Mobile Application?
The answer for this question is easy, go for the Web
Application.
Extracting information’s
via SQL Injection:
After that, I’m hungry… and I love sandwich!!
03 – Fast-food Delivery Application
Ohhh no… another application that my credential in being
sent in plain text.
Conclusion
Because it is a Mobile Application developers might be
forgetting the basics of security.
If your Mobile Application is a simple frontend
the same concepts of web security must be considered. Think about it and check some of the following
references for security best practices:
OWASP
Development Guide.
OWASP Transport Layer Protection.
OWASP SSL Best Practices.
some mobile applications that I happen to use. I did not choose a specific methodology for testing mobile
applications. What I did was to use some of my knowledge in testing web
applications in general.
To my pleasant surprise I got results that made
me happy, or not.
01 - Catalog Application.
Starting my tests, on the first application I
noticed the web server authentication credentials are simply sent in plain text
using a POST method.
Most of these mobile applications are just simple frontends
for web services.
This behavior has been confirmed in all tested applications.
Some examples.
02 – Auction Application
Let's start intercepting the requests of the mobile
application and doing a simple SQL Injection test:
In this specific case it was possible to notice that the application
consumed by Mobile Application is vulnerable to SQL Injection attacks.
So, one would ask, should I be attacking a Web Application
or the Mobile Application?
The answer for this question is easy, go for the Web
Application.
Extracting information’s
via SQL Injection:
After that, I’m hungry… and I love sandwich!!
03 – Fast-food Delivery Application
Ohhh no… another application that my credential in being
sent in plain text.
Conclusion
Because it is a Mobile Application developers might be
forgetting the basics of security.
If your Mobile Application is a simple frontend
the same concepts of web security must be considered. Think about it and check some of the following
references for security best practices:
OWASP
Development Guide.
OWASP Transport Layer Protection.
OWASP SSL Best Practices.
No comments:
Post a Comment