This week I co-presented “Smart Bombs: Mobile Vulnerability and Exploitation” with John Sawyer and Kevin Johnson at OWASP AppSec DC. We talked about the some of the current problems facing mobile applications such as flaws found in the OWASP Mobile Top 10 and various privacy issues. We also talked about how you go about testing mobile applications from the application layer (HTTP) down to the transport layer (TCP) and file system. I highly recommend you take a look at John’s file system testing methodology as he takes more of a forensic approach which works really well. The takeaway from the talk is that you need to look at all these areas when testing mobile apps and mobile apps are growing area of concern from a security and privacy perspective.
One update we forgot to mention in the talk is that you should use Mallory, which is a transparent TCP and UDP proxy for testing mobile applications. This is an excellent tool created by the guys at Intrepidus Group. We’ve found that some apps will bypass proxy settings and lots of apps are sending data over binary protocols and more. Mallory is the tool you need for testing any mobile app fully!