Mobile app security testing using OWASP ZAP

1
votes

I want to perform the security testing of a mobile application that is installed on my mobile (basically installed the apk of the application). The setup is all done. And if I load any web application ZAP is recording all the calls done via mobile. But when I open the application and perform any action the page is just showing the loading icon but data is not displaying or nothing is recorded in the ZAP application also. Can anyone please help me to do mobile application security testing in the android device using the ZAP tool.

1
securityapkmobile-applicationzap
AFAIK Zap also performs Man-in-the-middle for HTTPS connection. Therefore you are running into the same problem all people who want to use a proxy like Fiddler, mitmproxy, Charles, Zap, ... See this question for details stackoverflow.com/questions/62730978/…Robert

1 Answers

0
votes

There's a FAQ for that: https://www.zaproxy.org/faq/can-zap-be-used-to-test-mobile-apps/

Basically you have four options to deal with cert pinning etc:

  • Adding a custom CA to the trusted certificate store
  • Overwriting a packaged CA cert with a custom CA cert
  • Using Frida to hook and bypass SSL certificate checks
  • Reversing custom certificate code