This simple blog post was motivated by my desire to look at some mobile applications that I happen to use. I did not choose a specific methodology for testing mobile applications. What I did was to use some of my knowledge in testing web applications in general.
To my pleasant surprise I got results that mademe happy, or not.
01 - Catalog Application.
Starting my tests, on the first application I noticed the web server authentication credentials are simply sent in plain text using a POST method.
![8035_13f4da49-c5ab-45db-ab31-8b0ca8aecdbb](https://www.trustwave.com/hs-fs/hubfs/Web/Blogs/SpiderLab/8035_13f4da49-c5ab-45db-ab31-8b0ca8aecdbb.webp?width=800&height=188&name=8035_13f4da49-c5ab-45db-ab31-8b0ca8aecdbb.webp)
Most of these mobile applications are just simple frontends for web services.
This behavior has been confirmed in all tested applications.
Some examples.
02 – Auction Application
![9287_523d801c-7983-4bbc-811f-2f24dfff19f4](https://www.trustwave.com/hs-fs/hubfs/Web/Blogs/SpiderLab/9287_523d801c-7983-4bbc-811f-2f24dfff19f4.webp?width=321&height=479&name=9287_523d801c-7983-4bbc-811f-2f24dfff19f4.webp)
Let's start intercepting the requests of the mobile application and doing a simple SQL Injection test:
![9447_5a292ec0-4608-4474-bcbc-695b3c34eab6](https://www.trustwave.com/hs-fs/hubfs/Web/Blogs/SpiderLab/9447_5a292ec0-4608-4474-bcbc-695b3c34eab6.webp?width=800&height=500&name=9447_5a292ec0-4608-4474-bcbc-695b3c34eab6.webp)
In this specific case it was possible to notice that the application consumed by Mobile Application is vulnerable to SQL Injection attacks.
So, one would ask, should I be attacking a Web Application or the Mobile Application?
The answer for this question is easy, go for the Web Application.
Extracting information's via SQL Injection:
![11482_bb437c77-306b-4db8-8ad6-49d3e88011b3](https://www.trustwave.com/hs-fs/hubfs/Web/Blogs/SpiderLab/11482_bb437c77-306b-4db8-8ad6-49d3e88011b3.webp?width=557&height=116&name=11482_bb437c77-306b-4db8-8ad6-49d3e88011b3.webp)
![7666_02c91303-6267-4cbe-851b-c849eea66dcc](https://www.trustwave.com/hs-fs/hubfs/Web/Blogs/SpiderLab/7666_02c91303-6267-4cbe-851b-c849eea66dcc.webp?width=687&height=117&name=7666_02c91303-6267-4cbe-851b-c849eea66dcc.webp)
![9789_6c889e5c-66ab-4aed-ae97-d1f3fffcff87](https://www.trustwave.com/hs-fs/hubfs/Web/Blogs/SpiderLab/9789_6c889e5c-66ab-4aed-ae97-d1f3fffcff87.webp?width=675&height=121&name=9789_6c889e5c-66ab-4aed-ae97-d1f3fffcff87.webp)
![12831_fb418f14-1d4b-4ced-9e7b-e6f97f8529e8](https://www.trustwave.com/hs-fs/hubfs/Web/Blogs/SpiderLab/12831_fb418f14-1d4b-4ced-9e7b-e6f97f8529e8.webp?width=570&height=132&name=12831_fb418f14-1d4b-4ced-9e7b-e6f97f8529e8.webp)
After that, I'm hungry… and I love sandwich!!
03 – Fast-food Delivery Application
Ohhh no… another application that my credential in being sent in plain text.
![7785_08847592-6d4b-4ee7-b173-847f73255b10](https://www.trustwave.com/hs-fs/hubfs/Web/Blogs/SpiderLab/7785_08847592-6d4b-4ee7-b173-847f73255b10.webp?width=800&height=197&name=7785_08847592-6d4b-4ee7-b173-847f73255b10.webp)
Conclusion
Because it is a Mobile Application developers might before getting the basics of security.
If your Mobile Application is a simple frontend the same concepts of web security must be considered. Think about it and check some of the following references for security best practices:
OWASPDevelopment Guide.
OWASP Transport Layer Protection.
OWASP SSL Best Practices.