[prev in list] [next in list] [prev in thread] [next in thread]
List: websecurity
Subject: Re: [WEB SECURITY] Security Testing of Mobile Apps
From: "Simone Onofri" <simone.onofri () gmail ! com>
Date: 2008-12-03 22:49:53
Message-ID: 52bd7c3d0812031449v3ad944e6mc220a16968e66023 () mail ! gmail ! com
[Download RAW message or body]
Yes Jeff, right concept and, as Billy said, this is a security issue
not Web itself. Not in this Layer.
So can be nice to design a real scenario, also for evaluating the
risks of clients, not only apps itself. Contex may changes.
Cheers,
Simone
On Wed, Dec 3, 2008 at 11:42 PM, Jeff Robertson
<jeff.robertson@gmail.com> wrote:
> A "fat client" mobile app is probably making network connections of
> some kind to a server. Find out the name/address of that server and
> attack it directly.
>
>
> On 12/3/08, Simone Onofri <simone.onofri@gmail.com> wrote:
>> As Arun just said, it depends on the architecture of mobile application.
>>
>> XHTML Mobile application can be considered like Web Applications.
>>
>> So if there are specific web application vulnerability also some is shared.
>>
>> If Java it can be decompiled in order to find infos and source code
>> checking.
>>
>> Another way is to see on other layers depending also on protocols involved
>> (SIP for VOIP or similar) and tools like Wireshark.
>>
>> Cheers,
>>
>> Simone
>>
>> On Wed, Dec 3, 2008 at 10:39 PM, Arun Sundaresh
>> <arunsundaresh@gmail.com>wrote:
>>
>>> Hi Billy,
>>>
>>> Thanks for the info!
>>>
>>> From the discussion, I understood that for web-based mobile apps, we can
>>> use the general web app scanners by just changing the user agent of the
>>> scanning tool.
>>>
>>> But how about the security assessment of client-server apps for mobile?
>>> say
>>> for example, a voice mail client which notifies the user whenever there is
>>> a
>>> new voicemail and based on user's request, client will contact the server
>>> component to pull the voicemail and play it.
>>>
>>> Thanks,
>>> Arun Sundaresh. R
>>>
>>> On Wed, Dec 3, 2008 at 2:37 PM, Hoffman, Billy
>>> <billy.hoffman@hp.com>wrote:
>>>
>>>> Mobile XHTML is just a subset of XHTML with limits on tags, certain form
>>>> elements, and some JavaScript limitations. In other words scanning mobile
>>>> XHTML websites should be a subset of scanning regular websites. It should
>>>> just be a matter of changing the user agent of the scanning tool which
>>>> can
>>>> be easily done in the tools settings or by running its traffic through a
>>>> "find-and-replace" proxy to give you an appropriate mobile user agent.
>>>> Otherwise a lot of mobile sites (m.facebook.com, etc) will 302 you if you
>>>> don't have a mobile browser user-agent.
>>>>
>>>>
>>>>
>>>> I don't know of anything that can handle WAP/WML or i-mode.
>>>>
>>>>
>>>>
>>>> Billy Hoffman
>>>>
>>>> --
>>>>
>>>> Manager, HP Web Security Research Group
>>>>
>>>> HP Software – Application Security Center
>>>>
>>>> Direct: 770-343-7069
>>>>
>>>>
>>>>
>>>> *From:* Arun Sundaresh [mailto:arunsundaresh@gmail.com]
>>>> *Sent:* Wednesday, December 03, 2008 2:51 PM
>>>> *To:* websecurity@webappsec.org
>>>> *Subject:* [WEB SECURITY] Security Testing of Mobile Apps
>>>>
>>>>
>>>>
>>>> Hi All,
>>>>
>>>>
>>>> Greetings!
>>>>
>>>> Is anybody in this distro involved in the security testing of mobile
>>>> device apps? If so, could you please let me know the methodology that you
>>>> follow to perform the security testing on the mobile device apps.
>>>>
>>>>
>>>>
>>>> I would like to know the following details:
>>>>
>>>> 1. How will you perform security assessment of applications developed for
>>>> mobile phones?
>>>>
>>>> 2. What are the different types of testing that you would do?
>>>>
>>>> 3. Do you use some automated vulnerabilty assessment tools for testing
>>>> the
>>>> mobile applications?
>>>>
>>>> Thanks,
>>>> Arun Sundaresh. R
>>>>
>>>
>>>
>>
>>
>> --
>> Simone Onofri
>> http://www.siatec.net/
>>
>
> --
> Sent from my mobile device
>
--
Simone Onofri
http://www.siatec.net/
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic