I want to perform the security testing of a mobile application that is installed on my mobile (basically installed the apk of the application). The setup is all done. And if I load any web application ZAP is recording all the calls done via mobile. But when I open the application and perform any action the page is just showing the loading icon but data is not displaying or nothing is recorded in the ZAP application also. Can anyone please help me to do mobile application security testing in the android device using the ZAP tool.
1
votes
1 Answers
0
votes
There's a FAQ for that: https://www.zaproxy.org/faq/can-zap-be-used-to-test-mobile-apps/
Basically you have four options to deal with cert pinning etc:
- Adding a custom CA to the trusted certificate store
- Overwriting a packaged CA cert with a custom CA cert
- Using Frida to hook and bypass SSL certificate checks
- Reversing custom certificate code