App Security Testing
This post is presented by our Lead QA - Priyanka and her journey of exploring the security aspect of mobile Apps while testing. This will be a series of posts and this one highlights the issues faces connecting the security testing tool (ZAP) with mobile.
At AV DEVS, we take the security of solutions we build very seriously and include in-depth security and penetration testing of the production environment at regular intervals.
We recently decided to extend our security testing capabilities to mobile apps since they serve as the ultimate frontend for users. We have been testing our web application using OWASP ZAP 2.9.0 tool and decided to explore mobile testing on the same tool.
We ran into an issue with connection between ZAP and Mobile. Our team jumped in for help and with special assistance from Pranav and Kushal the connection was established and the further process could begin.
For iOS: Here we need to activate the below indicated toggle button to give permission, so it will allow us to build connections.
For Android: We need to write a piece of code in our project to allow ZAP certificate to crawl the application. Temporarily add a code to allow our tool to read the network calls (THIS CODE SHOULD NOT GO TO PRODUCTION, use branching or create a different build variant )
Create a new class named UnsafeOkHttpClient and add the following code to it. https://gist.github.com/kdavdevs/1988ebf6106f2fc4fc96d234b3a8384d
For the next part instead of calling OkHttpClient.Builder() call UnsafeOkHttpClient.getUnsafeOkHttpClient() in your retrofit client class
Looking for technology solutions or get your systems security tested? We can be reached at [email protected]
Article Conceptualized by Priyanka Pawar
Senior Software QA Engineer
5 年priyanka Pawar : congratulations
Senior Software Engineer at NetWeb Software
5 年Yeah tester the saviour from manager and client for developer..
Senior Engineering Manager @ VMware | Ex Microsoft | Ex Citrix
5 年Awesome sister and team avdevs