Trustwave and Cybereason Merge to Form Global MDR Powerhouse for Unparalleled Cybersecurity Value. Learn More
Get access to immediate incident response assistance.
Get access to immediate incident response assistance.
Trustwave and Cybereason Merge to Form Global MDR Powerhouse for Unparalleled Cybersecurity Value. Learn More
This simple blog post was motivated by my desire to look at some mobile applications that I happen to use. I did not choose a specific methodology for testing mobile applications. What I did was to use some of my knowledge in testing web applications in general.
To my pleasant surprise I got results that mademe happy, or not.
01 - Catalog Application.
Starting my tests, on the first application I noticed the web server authentication credentials are simply sent in plain text using a POST method.
Most of these mobile applications are just simple frontends for web services.
This behavior has been confirmed in all tested applications.
Some examples.
02 – Auction Application
Let's start intercepting the requests of the mobile application and doing a simple SQL Injection test:
In this specific case it was possible to notice that the application consumed by Mobile Application is vulnerable to SQL Injection attacks.
So, one would ask, should I be attacking a Web Application or the Mobile Application?
The answer for this question is easy, go for the Web Application.
Extracting information's via SQL Injection:
After that, I'm hungry… and I love sandwich!!
03 – Fast-food Delivery Application
Ohhh no… another application that my credential in being sent in plain text.
Because it is a Mobile Application developers might before getting the basics of security.
If your Mobile Application is a simple frontend the same concepts of web security must be considered. Think about it and check some of the following references for security best practices:
OWASP Transport Layer Protection.
Trustwave is a globally recognized cybersecurity leader that reduces cyber risk and fortifies organizations against disruptive and damaging cyber threats. Our comprehensive offensive and defensive cybersecurity portfolio detects what others cannot, responds with greater speed and effectiveness, optimizes client investment, and improves security resilience. Learn more about us.
Copyright © 2024 Trustwave Holdings, Inc. All rights reserved.