Application security encompasses measures taken throughout the application's life-cycle to prevent exceptions in the security policy of an application or the underlying system (vulnerabilities) through flaws in the design, development, deployment, upgrade, or maintenance of the application.

Thursday, July 19, 2012

Setting up the Proxy Tool for Android Environment

If the application is using HTTP(s), or is a website that you are testing in the android browser, the next step is to setup a proxy tool such as Charles Proxy. There are many proxy tools like Brup Suite or Paros or Fiddler are there in the market but for me only charles proxy worked in this scenario. Now there are differnet ways to set up proxy.

Option - 1

Provide the proxy details when starting the emulator using the command below. This command is to use a proxy listening on port (For example 8888)

Option - 2

Provide the proxy details in the emulator APN settings as shown below. Navigate to home > menu > wireless & Network > Mobile Networks > Access Point Names and update the following settings:

Name     : Internet
APN      : Internet
Proxy    : IP Address of system
Port     : 8080
Username : not set
Password : not set

Option - 3

Provide the proxy details using the adb shell using the export command to set an environment variable, for example:

Option - 4

The last alternative is changing the proxy settings in the settings database from where the android web browser reads. The settings database uses SQLite. Familiarity with basic SQL commands is recommended if you plan to use this method. Change the hostname and port information appropriately is illustrated in the command below leaving everything else as is:

After setting up the proxy using any of these methods, it possible to intercept the HTTP requests sent by the emulator browser. From here forward, penetration testing is similar to that of regular web applications.

No comments:

Post a Comment